CVE-2026-28223: Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface
(updated )
A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the “Translate” action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user’s credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
References
- github.com/advisories/GHSA-p4v8-rw59-93cq
- github.com/wagtail/wagtail
- github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863
- github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19
- github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c
- github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143
- github.com/wagtail/wagtail/releases/tag/v6.3.8
- github.com/wagtail/wagtail/releases/tag/v7.0.6
- github.com/wagtail/wagtail/releases/tag/v7.2.3
- github.com/wagtail/wagtail/releases/tag/v7.3.1
- github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq
- nvd.nist.gov/vuln/detail/CVE-2026-28223
Code Behaviors & Features
Detect and mitigate CVE-2026-28223 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →