CVE-2026-54260
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
In Wagtail, an open source CMS built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2 allow an authenticated admin user to trigger expensive rendition processing with crafted filter specs, potentially causing service degradation. The vulnerability is not exploitable by ordinary site visitors without Wagtail admin access.
Risk Assessment
The risk is a potential Denial of Service (DoS) attack by an admin user, which could slow down or make the CMS unavailable to other users.
Recommendation
Immediately upgrade Wagtail to version 7.0.8, 7.3.3, or 7.4.2, depending on your release branch.
Original NVD description (English source)
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

