Skip to content

fix(deps): update dependency wagtail to v7 [security]#3777

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-wagtail-vulnerability
Open

fix(deps): update dependency wagtail to v7 [security]#3777
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-wagtail-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 3, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
wagtail (changelog) ==6.4.2==7.0.7 age confidence

Wagtail has improper permission handling on admin preview endpoints

CVE-2026-25517 / GHSA-4qvv-g3vr-m348

More information

Details

Impact

Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to @​thxtech for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes

CVE-2026-28222 / GHSA-p5cm-246w-84jm

More information

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

Site owners who are unable to upgrade to the new versions can remediate the vulnerability by setting a template attribute on all TableBlock definitions, referencing a template that does not output class attributes. For example:

<!-- For use with TableBlock(template="path/to/table_block.html") -->
<table>
    {% if table_caption %}
        <caption></caption>
    {% endif %}
    {% if table_header %}
        <thead>
            <tr>
                {% for cell in table_header %}
                    <th scope="col"></th>
                {% endfor %}
            </tr>
        </thead>
    {% endif %}
    <tbody>
        {% for row in data %}
            <tr>
                {% for cell in row %}
                    {% if first_col_is_header and forloop.first %}
                        <th scope="row"></th>
                    {% else %}
                        <td></td>
                    {% endif %}
                {% endfor %}
            </tr>
        {% endfor %}
    </tbody>
</table>
Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

CVE-2026-28223 / GHSA-p4v8-rw59-93cq

More information

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

None

Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when comparing revisions

CVE-2026-44197 / GHSA-c6wj-9vcj-75pj

More information

Details

Impact

A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to Seoyoung Kang @​seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when viewing page history

CVE-2026-44198 / GHSA-c4mr-889m-vgf6

More information

Details

Impact

A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks Seoyoung Kang @​seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when deleting form submissions

CVE-2026-44199 / GHSA-pwm3-7fv4-g6xx

More information

Details

Impact

A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks Vishal Shukla @​shukla304 for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper restriction handling on Documents and Images API

CVE-2026-44201 / GHSA-p5gm-92h4-6pv6

More information

Details

Impact

The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

Site owners using Wagtail's API can avoid the vulnerability by adding authentication to the Documents and Images APIs.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @​thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when copying pages

CVE-2026-44200 / GHSA-67rv-mg8q-5pf3

More information

Details

Impact

A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @​thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling on admin preview endpoints

CVE-2026-25517 / GHSA-4qvv-g3vr-m348

More information

Details

Impact

Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to @​thxtech for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

CVE-2026-28223 / GHSA-p4v8-rw59-93cq

More information

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

None

Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes

CVE-2026-28222 / GHSA-p5cm-246w-84jm

More information

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

Site owners who are unable to upgrade to the new versions can remediate the vulnerability by setting a template attribute on all TableBlock definitions, referencing a template that does not output class attributes. For example:

<!-- For use with TableBlock(template="path/to/table_block.html") -->
<table>
    {% if table_caption %}
        <caption></caption>
    {% endif %}
    {% if table_header %}
        <thead>
            <tr>
                {% for cell in table_header %}
                    <th scope="col"></th>
                {% endfor %}
            </tr>
        </thead>
    {% endif %}
    <tbody>
        {% for row in data %}
            <tr>
                {% for cell in row %}
                    {% if first_col_is_header and forloop.first %}
                        <th scope="row"></th>
                    {% else %}
                        <td></td>
                    {% endif %}
                {% endfor %}
            </tr>
        {% endfor %}
    </tbody>
</table>
Acknowledgements

Many thanks to Guan Chenxian (@​GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when copying pages

CVE-2026-44200 / GHSA-67rv-mg8q-5pf3 / PYSEC-2026-149

More information

Details

Impact

A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @​thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when viewing page history

CVE-2026-44198 / GHSA-c4mr-889m-vgf6 / PYSEC-2026-147

More information

Details

Impact

A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks Seoyoung Kang @​seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when comparing revisions

CVE-2026-44197 / GHSA-c6wj-9vcj-75pj / PYSEC-2026-146

More information

Details

Impact

A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to Seoyoung Kang @​seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper restriction handling on Documents and Images API

CVE-2026-44201 / GHSA-p5gm-92h4-6pv6 / PYSEC-2026-150

More information

Details

Impact

The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

Site owners using Wagtail's API can avoid the vulnerability by adding authentication to the Documents and Images APIs.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @​thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Wagtail has improper permission handling when deleting form submissions

CVE-2026-44199 / GHSA-pwm3-7fv4-g6xx / PYSEC-2026-148

More information

Details

Impact

A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Wagtail thanks Vishal Shukla @​shukla304 for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2026-44197 / GHSA-c6wj-9vcj-75pj / PYSEC-2026-146

More information

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2026-44198 / GHSA-c4mr-889m-vgf6 / PYSEC-2026-147

More information

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2026-44199 / GHSA-pwm3-7fv4-g6xx / PYSEC-2026-148

More information

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2026-44200 / GHSA-67rv-mg8q-5pf3 / PYSEC-2026-149

More information

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

CVE-2026-44201 / GHSA-p5gm-92h4-6pv6 / PYSEC-2026-150

More information

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Release Notes

wagtail/wagtail (wagtail)

v7.0.7: 7.0.7

Compare Source

  • Security fix: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Security fix: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Security fix: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Security fix: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Security fix: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
  • Fix: Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
  • Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
  • Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)

v7.0.6: 7.0.6

Compare Source

  • Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
  • Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)

v7.0.5: 7.0.5

Compare Source

  • Remove upper bound on Pillow dependency (Kunal Hemnani)

v7.0.4: 7.0.4

Compare Source

  • Fix: Prevent error on custom generic create and edit views without a header icon (Sage Abdullah)
  • Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

v7.0.3: 7.0.3

Compare Source

  • Fix: Prevent crash when previewing a form page with an empty field type (Sage Abdullah)

v7.0.2: 7.0.2

Compare Source

  • Fix: Prevent error when restoring scroll position for cross-domain preview iframe (Sage Abdullah)
  • Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
  • Fix: Ensure the editing of translation alias pages correctly shows links to the source page if the alias was created from a draft (Dan Braghis)

v7.0.1: 7.0.1

Compare Source

  • Fix: Fix type hints for register_filter_adapter_class parameters (Sébastien Corbin)
  • Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
  • Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)
  • Fix: Fix saving of empty values in EmbedBlock (Matt Westcott)
  • Fix: Sanitize request data when logging method not allowed (Jake Howard)
  • Docs: Use tuple instead of set in UniqueConstraint examples for a custom rendition model to avoid spurious migrations (Alec Baron)
  • Docs: Document how to turn off StreamField block previews (Shlomo Markowitz)
  • Maintenance: Use utf8mb4 charset and collation for MySQL test database (Sage Abdullah)

v7.0: 7.0 LTS

Compare Source

  • Add formal support for Django 5.2 (Matt Westcott)
  • Allow validation of required fields to be deferred on saving drafts (Matt Westcott, Sage Abdullah)
  • Add WAGTAIL_ prefix to Wagtail-specific tag settings (Aayushman Singh)
  • Implement normalize on TypedTableBlock to assist with setting default and preview_value (Sage Abdullah)
  • Apply normalization when modifying a StreamBlock's value to assist with programmatic changes to StreamField (Matt Westcott)
  • Allow a custom image rendition model to define its unique constraint with models.UniqueConstraint instead of unique_together (Oliver Parker, Cynthia Kiser, Sage Abdullah)
  • Default to the standard tokenizer on Elasticsearch, to correctly handle numbers as tokens (Matt Westcott)
  • Add color-scheme meta tag to Wagtail admin (Ashish Nagmoti)
  • Add the ability to set the default privacy restriction for new pages using get_default_privacy_setting (Shlomo Markowitz)
  • Improve performance of batch purging page urls in the frontend cache, avoiding n+1 query issues (Andy Babic)
  • Add better support and documentation for overriding or extending icons used in the in the userbar (Sébastien Corbin)
  • List the comments action, if comments are enabled, within the admin keyboard shortcuts dialog (Dhruvi Patel)
  • Add better support and documentation for overriding the default field widgets used within form pages (Baptiste Mispelon)
  • Allow workflow tasks to specify a template for the action modal via get_template_for_action (Sage Abdullah)
  • Change 'Publish' button label to 'Schedule to publish' if go-live schedule is set (Sage Abdullah)
  • Exclude snippets that have their own menu items from the "Snippets" menu (Andy Chosak, Matt Westcott)
  • Introduce new designs for listings and chooser pagination (except page chooser) (Jordan Teichmann, Sage Abdullah)
  • Add default "Locale" column to listings and choosers of translatable models (Dan Braghis, Sage Abdullah)
  • Apply current content's locale in choosers by default and add the ability to clear the locale filter (Dan Braghis)
  • Hide add locale button when no more languages are available (Dan Braghis)
  • Allow customizing InspectView field display value via methods on the view (Dan Braghis)
  • Make rendering of active listing filters extensible, to support additional filter types (Sage Abdullah)
  • Fix: Take preferred language into account for translatable strings in client-side code (Bernhard Bliem, Sage Abdullah)
  • Fix: Do not show the content type column as sortable when searching pages (Srishti Jaiswal, Sage Abdullah)
  • Fix: Support simple subqueries for in and exact lookup on Elasticsearch (Sage Abdullah)
  • Fix: Force preview panel scroll behavior to instant to avoid flickering (Sage Abdullah)
  • Fix: Support translating with the preferred language for rich text formatting labels (Bernhard Bliem, Sage Abdullah)
  • Fix: Make "Actions" label translatable within the rich text toolbar (Bernhard Bliem, Sage Abdullah)
  • Fix: Fix incorrect "Views (past week)" heading on p

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone US/Eastern)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 6 times, most recently from a17d2b5 to 141bc8a Compare February 9, 2026 14:03
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 11 times, most recently from 01a664d to 1ad836b Compare February 19, 2026 12:09
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 13 times, most recently from 8c8aa32 to 6acf8ba Compare February 25, 2026 16:34
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 15 times, most recently from 8e3c49a to eb24a98 Compare March 9, 2026 21:50
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 10 times, most recently from 8b537f6 to 8cb308c Compare March 16, 2026 10:05
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 2 times, most recently from 1f33630 to 7fd3c9d Compare March 25, 2026 17:59
@renovate renovate Bot force-pushed the renovate/pypi-wagtail-vulnerability branch 2 times, most recently from f6b2404 to 3d8b1ef Compare March 26, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants