CVE-2026-44199
Wagtail has improper permission handling when deleting form submissions
6.5
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
How to fix CVE-2026-44199
To remediate CVE-2026-44199, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.7 or later
- —upgrade to 7.0.7 or later
Is CVE-2026-44199 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 7.0.7
- from 0, < 7.0.7, >= 7.1, < 7.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |