CVE-2026-54261
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In Wagtail, an open source CMS built on Django, a missing permission check on the image preview endpoint allows users with Wagtail admin access to preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by ordinary site visitors without admin access.
Risk Assessment
The risk involves unauthorized access to images by users with administrative privileges, potentially leading to exposure of sensitive visual content. An attacker could exploit this to view images they should not have access to.
Recommendation
Immediately upgrade Wagtail to versions 7.0.8, 7.3.3, or 7.4.2, which include a fix for the missing permission check. After updating, review admin panel access configurations.
Original NVD description (English source)
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

