CVE-2026-28222 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in Wagtail, the popular open source content management system built on Django. The vulnerability exists in the rendering of TableBlock blocks within a StreamField, allowing authenticated users with page editing privileges to inject malicious JavaScript code that executes when the page is viewed by other users.
An attacker with access to create or edit pages containing TableBlock StreamField blocks can set specially-crafted class attributes on the block that execute arbitrary JavaScript code when the page is rendered. When viewed by administrators or users with higher privileges, this could enable session hijacking, privilege escalation, or unauthorized actions performed under the victim's credentials.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the context of higher-privileged users, potentially leading to account takeover, data exfiltration, or administrative actions performed without authorization.
Affected Products
- Wagtail versions prior to 6.3.8
- Wagtail versions 7.0.x prior to 7.0.6
- Wagtail versions 7.2.x prior to 7.2.3
- Wagtail versions 7.3.x prior to 7.3.1
Discovery Timeline
- 2026-03-05 - CVE-2026-28222 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28222
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) affects Wagtail's TableBlock component when used within StreamField blocks. The core issue stems from insufficient sanitization of user-supplied class attributes during the rendering phase. When a malicious user creates or modifies a page containing a TableBlock, they can inject JavaScript payloads through specially-crafted class attribute values.
Unlike reflected XSS attacks, stored XSS persists in the application database, meaning the malicious payload is executed every time any user views the affected page. This makes the vulnerability particularly dangerous in multi-user CMS environments where content editors may have lower privileges than site administrators.
The attack requires authentication to the Wagtail admin interface, limiting exposure to authenticated users. However, the vulnerability only affects sites that implement TableBlock functionality. Sites not using TableBlock in their page models are not vulnerable.
Root Cause
The vulnerability originates from improper input validation and output encoding in the TableBlock rendering logic. When table data containing class attributes is stored and subsequently rendered, the class attribute values are not properly sanitized or escaped, allowing HTML event handlers or other JavaScript execution vectors to be injected.
The affected code failed to properly sanitize user-controlled input before including it in the rendered HTML output, violating secure coding principles for XSS prevention. Class attributes, which typically should only contain CSS class names, were being rendered without validation, allowing attackers to break out of the attribute context and inject executable code.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access to the Wagtail admin panel with permissions to create or edit pages containing TableBlock elements. The attacker crafts a malicious payload within the class attribute field of a table element.
When a victim user (ideally with higher privileges than the attacker) views the page containing the malicious TableBlock, the injected JavaScript executes in their browser session. This enables various attack scenarios including:
- Stealing session cookies or authentication tokens
- Performing actions as the victim user via CSRF-like requests
- Modifying page content visible to the victim
- Redirecting the victim to phishing pages
- Exfiltrating sensitive data accessible to the victim
The attack exploits the trust relationship between authenticated users and the CMS platform, making it effective for privilege escalation attacks where a lower-privileged content editor targets administrators.
Detection Methods for CVE-2026-28222
Indicators of Compromise
- Unusual or unexpected class attribute values in TableBlock elements containing JavaScript event handlers (e.g., onmouseover, onerror, onclick)
- TableBlock entries with encoded payloads or unusual Unicode characters in class attributes
- Audit log entries showing modifications to pages with TableBlock content by users who shouldn't have such access
- Browser console errors or warnings related to Content Security Policy violations on pages with tables
Detection Strategies
- Implement Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution
- Review Wagtail audit logs for suspicious page editing activity, particularly modifications to TableBlock content
- Deploy web application firewall (WAF) rules to detect XSS payloads in form submissions to the Wagtail admin
- Conduct periodic code reviews of page content focusing on TableBlock class attributes
Monitoring Recommendations
- Enable and monitor Wagtail's built-in audit logging for all page create and edit actions
- Implement real-time alerting for CSP violation reports using the report-uri directive
- Monitor for unusual patterns of page edits followed by views from administrative accounts
- Deploy endpoint detection solutions capable of identifying browser-based attacks and suspicious JavaScript execution
How to Mitigate CVE-2026-28222
Immediate Actions Required
- Upgrade Wagtail to a patched version: 6.3.8, 7.0.6, 7.2.3, or 7.3.1 depending on your current version branch
- Audit existing TableBlock content for suspicious class attribute values before and after patching
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
- Review user permissions and restrict TableBlock editing access to trusted users only
Patch Information
The Wagtail development team has released security patches across all supported version branches. Organizations should upgrade to the appropriate patched version based on their current deployment:
| Current Version | Upgrade To |
|---|---|
| 6.3.x | v6.3.8 |
| 7.0.x | v7.0.6 |
| 7.2.x | v7.2.3 |
| 7.3.x | v7.3.1 |
For detailed technical information about the fix, refer to the Wagtail Security Advisory GHSA-p5cm-246w-84jm or review the commit history at Wagtail Commit 0375094.
Workarounds
- If immediate patching is not possible, temporarily disable TableBlock functionality by removing it from page models
- Implement strict Content Security Policy headers to mitigate the impact of any XSS payload execution
- Restrict admin access to only essential personnel until the patch can be applied
- Consider deploying a web application firewall with XSS filtering rules in front of the Wagtail application
# Upgrade Wagtail using pip (example for version 7.3.1)
pip install --upgrade wagtail==7.3.1
# Verify the installed version
python -c "import wagtail; print(wagtail.VERSION)"
# Apply database migrations if required
python manage.py migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
