Title: Wagtail CMS 6.4.1 Stored Cross-Site Scripting (XSS)

Date: 2026-03-31
Author: Ibrahim Fatih Inceli, Berat Aksit
Vendor Homepage: https://wagtail.org/
Software Link: https://github.com/wagtail/wagtail
Version: 6.4.1
CVE: CVE-2026-45388
PoC: https://github.com/echoBRT/Wagtail-CMS-XSS

Description:
Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability
in the document upload functionality. An attacker can embed a malicious payload inside
a PDF file. When the uploaded document is accessed via the CMS interface, the payload
may execute in the context of the user.

Technical Details:
The vulnerability occurs due to insufficient validation and sanitization of uploaded
document content. Specifically, crafted PDF files containing embedded JavaScript can
be uploaded and later executed when accessed through the CMS document management interface.

Steps to Reproduce:
1. Login to Wagtail CMS as a user with document upload permissions.
2. Upload a crafted PDF file containing JavaScript payload.
3. Navigate to the Documents section.
4. Click on the uploaded document.
5. Observe that the payload executes.

Impact:
This vulnerability may allow attackers to execute arbitrary JavaScript in the context
of authenticated users, potentially leading to session hijacking or further compromise.

Vendor Response:
This issue is disputed by the vendor. According to the vendor, the behavior depends on
the file serving configuration. When files are served outside of Wagtail (default setup),
security headers and execution controls depend on the hosting environment (e.g., AWS S3).

Solution:
Properly configure file serving mechanisms and ensure appropriate security headers
(e.g., Content-Type, Content-Disposition, CSP) are enforced when serving uploaded files.

Credits:
Discovered by Ibrahim Fatih Inceli and Berat Aksit

Best Regards.

[cid:479d3baf-bf4d-47bf-81e3-0024f280dd51]