Search criteria

Related vulnerabilities

PYSEC-2026-615

Vulnerability from pysec - Published: 2026-07-01 22:16 - Updated: 2026-07-03 12:58
VLAI?
Details

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

Impacted products
Name purl
wagtail pkg:pypi/wagtail

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.8"
            },
            {
              "introduced": "7.1"
            },
            {
              "fixed": "7.3.3"
            },
            {
              "introduced": "7.4"
            },
            {
              "fixed": "7.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.8.1",
        "0.8.10",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.6",
        "0.8.7",
        "0.8.8",
        "0.8.9",
        "1.0",
        "1.0b1",
        "1.0b2",
        "1.0rc1",
        "1.0rc2",
        "1.1",
        "1.10",
        "1.10.1",
        "1.10rc1",
        "1.11",
        "1.11.1",
        "1.11rc1",
        "1.12",
        "1.12.1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.5",
        "1.12.6",
        "1.12rc1",
        "1.13",
        "1.13.1",
        "1.13.2",
        "1.13.3",
        "1.13.4",
        "1.13rc1",
        "1.1rc1",
        "1.2",
        "1.2rc1",
        "1.3",
        "1.3.1",
        "1.3rc1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4rc1",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5rc1",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6rc1",
        "1.7",
        "1.7rc1",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8rc1",
        "1.9",
        "1.9.1",
        "1.9rc1",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.0b1",
        "2.0rc1",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.1.3",
        "2.10",
        "2.10.1",
        "2.10.2",
        "2.10rc1",
        "2.10rc2",
        "2.11",
        "2.11.1",
        "2.11.2",
        "2.11.3",
        "2.11.4",
        "2.11.5",
        "2.11.6",
        "2.11.7",
        "2.11.8",
        "2.11.9",
        "2.11rc1",
        "2.12",
        "2.12.1",
        "2.12.2",
        "2.12.3",
        "2.12.4",
        "2.12.5",
        "2.12.6",
        "2.12rc1",
        "2.13",
        "2.13.1",
        "2.13.2",
        "2.13.3",
        "2.13.4",
        "2.13.5",
        "2.13rc1",
        "2.13rc2",
        "2.13rc3",
        "2.14",
        "2.14.1",
        "2.14.2",
        "2.14rc1",
        "2.15",
        "2.15.1",
        "2.15.2",
        "2.15.3",
        "2.15.4",
        "2.15.5",
        "2.15.6",
        "2.15rc1",
        "2.15rc2",
        "2.16",
        "2.16.1",
        "2.16.2",
        "2.16.3",
        "2.16rc1",
        "2.16rc2",
        "2.1rc1",
        "2.1rc2",
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2rc1",
        "2.2rc2",
        "2.3",
        "2.3rc1",
        "2.3rc2",
        "2.4",
        "2.4rc1",
        "2.5",
        "2.5.1",
        "2.5.2",
        "2.5rc1",
        "2.6",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.6rc1",
        "2.7",
        "2.7.1",
        "2.7.2",
        "2.7.3",
        "2.7.4",
        "2.7rc1",
        "2.7rc2",
        "2.8",
        "2.8.1",
        "2.8.2",
        "2.8rc1",
        "2.9",
        "2.9.1",
        "2.9.2",
        "2.9.3",
        "2.9rc1",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0rc1",
        "3.0rc2",
        "3.0rc3",
        "4.0",
        "4.0.1",
        "4.0.2",
        "4.0.3",
        "4.0.4",
        "4.0rc1",
        "4.0rc2",
        "4.1",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.1.4",
        "4.1.5",
        "4.1.6",
        "4.1.7",
        "4.1.8",
        "4.1.9",
        "4.1rc1",
        "4.2",
        "4.2.1",
        "4.2.2",
        "4.2.3",
        "4.2.4",
        "4.2rc1",
        "5.0",
        "5.0.1",
        "5.0.2",
        "5.0.3",
        "5.0.4",
        "5.0.5",
        "5.0rc1",
        "5.1",
        "5.1.1",
        "5.1.2",
        "5.1.3",
        "5.1rc1",
        "5.2",
        "5.2.1",
        "5.2.2",
        "5.2.3",
        "5.2.4",
        "5.2.5",
        "5.2.6",
        "5.2.7",
        "5.2.8",
        "5.2rc1",
        "6.0",
        "6.0.1",
        "6.0.2",
        "6.0.3",
        "6.0.4",
        "6.0.5",
        "6.0.6",
        "6.0rc1",
        "6.1",
        "6.1.1",
        "6.1.2",
        "6.1.3",
        "6.1rc1",
        "6.1rc2",
        "6.2",
        "6.2.1",
        "6.2.2",
        "6.2.3",
        "6.2.4",
        "6.2rc1",
        "6.3",
        "6.3.1",
        "6.3.2",
        "6.3.3",
        "6.3.4",
        "6.3.5",
        "6.3.6",
        "6.3.7",
        "6.3.8",
        "6.3rc1",
        "6.3rc2",
        "6.4",
        "6.4.1",
        "6.4.2",
        "6.4rc1",
        "7.0",
        "7.0.1",
        "7.0.2",
        "7.0.3",
        "7.0.4",
        "7.0.5",
        "7.0.6",
        "7.0.7",
        "7.0rc1",
        "7.1",
        "7.1.1",
        "7.1.2",
        "7.1.3",
        "7.2",
        "7.2.1",
        "7.2.2",
        "7.2.3",
        "7.2rc1",
        "7.3",
        "7.3.1",
        "7.3.2",
        "7.3rc1",
        "7.4",
        "7.4.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54262",
    "GHSA-8634-mr4j-r72c"
  ],
  "details": "Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.",
  "id": "PYSEC-2026-615",
  "modified": "2026-07-03T12:58:59.841624Z",
  "published": "2026-07-01T22:16:49.787Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-54262 (GCVE-0-2026-54262)

Vulnerability from cvelistv5 – Published: 2026-07-01 21:11 – Updated: 2026-07-02 12:42
VLAI?
Title
Wagtail: Pages translations can be created without page permissions when using simple_translation
Summary
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
CWE
  • CWE-280 - Improper Handling of Insufficient Permissions or Privileges
Assigner
References
Impacted products
Vendor Product Version
wagtail wagtail Affected: < 7.0.8
Affected: >= 7.1.0, < 7.3.3
Affected: >= 7.4.0, < 7.4.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T12:42:05.464782Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T12:42:13.452Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wagtail",
          "vendor": "wagtail",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.0.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.1.0, \u003c 7.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.4.0, \u003c 7.4.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-280",
              "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T21:11:27.671Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c"
        }
      ],
      "source": {
        "advisory": "GHSA-8634-mr4j-r72c",
        "discovery": "UNKNOWN"
      },
      "title": "Wagtail: Pages translations can be created without page permissions when using simple_translation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54262",
    "datePublished": "2026-07-01T21:11:27.671Z",
    "dateReserved": "2026-06-12T17:13:32.279Z",
    "dateUpdated": "2026-07-02T12:42:13.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}