Sourced from wagtail's releases.

7.4.1

• Fix: Reinstate missing file jquery.fileupload-validate.js (Rob Brackett)

Sourced from wagtail's changelog.

7.4.1 (19.05.2026)

 * Fix: Reinstate missing file `jquery.fileupload-validate.js` (Rob Brackett)
7.4 LTS (05.05.2026)

• Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
• Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
• Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
• Add support for Flourish oEmbeds (Garrett Coakley)
• Add support for Heyzine oEmbeds (Baptiste Darthenay)
• Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
• Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
• Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
• Add WAGTAILDOCS_MAX_UPLOAD_SIZE setting for specifying maximum document file size (Om Harsh)
• Set the project template WAGTAILDOCS_MAX_UPLOAD_SIZE to 10MB (Thibaud Colas)
• Optimize combining of querysets in site history report (Alex Bridge)
• Add more informative error for format-* operations on SVG images (Ankit Kumar)
• Store preview data in new FormState model to improve compatibility with cookie-based sessions (Sage Abdullah)
• Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
• Add WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS setting to disable permission filtering on page searches (Matt Westcott)
• Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
• Add new content check empty-meta-description to validate meta description tags are not empty (Thibaud Colas)
• Add extractMetrics method to PreviewController to retrieve content metrics from the preview panel (Thibaud Colas)
• Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
• Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
• Upgrade modelsearch to 1.3 (Matt Westcott)
• Implement checker error highlights within the preview panel (Thibaud Colas)
• Add routablefullpageurl template tag (Pravin Kamble)
• Add support for customizing page explorer views per page type using PageViewSet (Sage Abdullah)
• Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
• Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
• Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
• Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
• Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
• Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
• Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
• Fix: Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
• Fix: Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
• Fix: Set verbose_name_plural for Query model in search promotions app (Saptami)
• Fix: Truncate overly long task names in workflow admin view (Gaurav Takhi)
• Fix: Hide "Add child page" button when no child pages can be created as per max_count or max_count_per_parent (Lasse Schmieding)
• Fix: Prevent multiple child pages with max_count_per_parent being moved under one parent (James Biggs)
• Fix: Use POST instead of DELETE in Cloudflare Frontend Cache Backend (Tom Usher)
• Fix: Handle null values for title, author name or provider name in OEmbed responses (Baptiste Darthenay)
• Fix: Preserve original data types from ChoiceBlock choices in block values (Devarshi Mani Tripathi)
• Fix: Fix translation sync logic for django-treebeard 5.0.2 (Matt Westcott)

... (truncated)

• 95b020d Fetch new translation files from Transifex
• 224616d Version bump to 7.4.1
• 94931cd Release note for #14230
• e67919e Move file validation script to shared location
• b85bcc0 Add client tests for Image & Document upload
• 06237c5 Fill in CVE identifiers
• 48a7d42 Fetch new translations from Transifex
• 3bcddf2 ruff format
• e182e3e Version bump to 7.4 final
• d504b23 Release notes for security fixes in 7.4
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)