Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN117
_____________________________________________________________________

DATE                : 04/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running wagtail versions prior to 6.3.6,
                                 7.0.4, 7.1.3, 7.2.2, 7.3.

=====================================================================
https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
_____________________________________________________________________


Improper permission handling on admin preview endpoints
Moderate
laymonage published GHSA-4qvv-g3vr-m348 Feb 3, 2026

Package
wagtail (pip)

Affected versions
<6.3.6, 6.4 - 7.0.3, 7.1 - 7.1.2, 7.2 - 7.2.1

Patched versions
6.3.6, 7.0.4, 7.1.3, 7.2.2, 7.3

Description


Impact

Due to a missing permission check on the preview endpoints, a user 
with access to the Wagtail admin and knowledge of a model's fields can 
craft a form submission to obtain a preview rendering of any page, 
snippet or site setting object for which previews are enabled, 
consisting of any data of the user's choosing. The existing data of 
the object itself is not exposed, but depending on the nature of the 
template being rendered, this may expose other database contents that 
would otherwise only be accessible to users with edit access over the 
model. The vulnerability is not exploitable by an ordinary site 
visitor without access to the Wagtail admin.


Patches

Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 
7.2.2. The new 7.3 feature release also incorporates this fix.


Workarounds

No workaround is available.


Acknowledgements

Many thanks to @thxtech for reporting this issue.
For more information

If you have any questions or comments about this advisory:

    Visit Wagtail's support channels
    Email us at security@wagtail.org (view our security policy for 
more information).

Severity
Moderate
5.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-25517

Weaknesses
Weakness CWE-862


Credits

    @thxtech thxtech Reporter
    @gasman gasman Remediation developer
    @RealOrangeOne RealOrangeOne Remediation reviewer
    @laymonage laymonage Remediation verifier


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================