Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-25517

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-04 Feb, 2026 | 20:48
Updated At-05 Feb, 2026 | 14:32
Rejected At-
Credits

Wagtail has improper permission handling on admin preview endpoints

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:04 Feb, 2026 | 20:48
Updated At:05 Feb, 2026 | 14:32
Rejected At:
▼CVE Numbering Authority (CNA)
Wagtail has improper permission handling on admin preview endpoints

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

Affected Products
Vendor
wagtail
Product
wagtail
Versions
Affected
  • < 6.3.6
  • >= 6.4rc1, < 7.0.4
  • >= 7.1rc1, < 7.1.3
  • >= 7.2rc1, < 7.2.2
  • = 7.3rc1
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03
x_refsource_MISC
Hyperlink: https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719
Resource:
x_refsource_MISC
Hyperlink: https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f
Resource:
x_refsource_MISC
Hyperlink: https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190
Resource:
x_refsource_MISC
Hyperlink: https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915
Resource:
x_refsource_MISC
Hyperlink: https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:04 Feb, 2026 | 21:16
Updated At:20 Feb, 2026 | 21:20

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.12.7LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 2.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CPE Matches
torchbox
torchbox
>>wagtail>>Versions before 6.3.6(exclusive)
cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
torchbox
torchbox
>>wagtail>>Versions from 6.4(inclusive) to 7.0.4(exclusive)
cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
torchbox
torchbox
>>wagtail>>Versions from 7.1(inclusive) to 7.1.3(exclusive)
cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
torchbox
torchbox
>>wagtail>>Versions from 7.2(inclusive) to 7.2.2(exclusive)
cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity-advisories@github.com
CWE ID: CWE-862
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719security-advisories@github.com
Patch
https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241fsecurity-advisories@github.com
Patch
https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190security-advisories@github.com
Patch
https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915security-advisories@github.com
Patch
https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03security-advisories@github.com
Patch
https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2023-45809
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.21% / 43.45%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 18:33
Updated-02 Aug, 2024 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Disclosure of user names via admin bulk action views in wagtail

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-torchboxwagtail
Product-wagtailwagtail
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-49652
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-2.7||LOW
EPSS-0.04% / 10.50%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 13:45
Updated-02 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.

Action-Not Available
Vendor-Jenkins
Product-google_compute_engineJenkins Google Compute Engine Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-32466
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.17% / 37.71%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 15:02
Updated-11 Sep, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tolgee's API key scopes not checked when querying translation data

Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2

Action-Not Available
Vendor-tolgeetolgee
Product-tolgeetolgee-platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-41728
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-2.7||LOW
EPSS-0.09% / 24.78%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 04:00
Updated-16 Sep, 2024 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform

Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server for ABAP and ABAP Platform
CWE ID-CWE-862
Missing Authorization
CVE-2023-1296
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-2.7||LOW
EPSS-0.37% / 58.51%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 14:45
Updated-27 Feb, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nomad ACLs Can Not Deny Access to Workload's Own Variables

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-nomadNomad EnterpriseNomad
CWE ID-CWE-682
Incorrect Calculation
CWE ID-CWE-862
Missing Authorization
CVE-2025-53113
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.03% / 10.27%
||
7 Day CHG~0.00%
Published-30 Jul, 2025 | 14:16
Updated-04 Aug, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI technicians can access unauthorized information through external links

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2025-30877
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-2.7||LOW
EPSS-0.19% / 40.70%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 10:55
Updated-27 Mar, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quiz Cat plugin <= 3.0.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in fatcatapps Quiz Cat allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz Cat: from n/a through 3.0.8.

Action-Not Available
Vendor-fatcatapps
Product-Quiz Cat
CWE ID-CWE-862
Missing Authorization
Details not found