Wagtail 7.4.2 release notes¶

CVE-2026-54259: Improper restriction handling on Documents and Images chosen endpoints¶

This release addresses a faulty permission check in the document and image choosers. The Documents and Images chooser’s chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections.

Many thanks to Harsh Akshit for reporting this issue. For further details, please see the CVE-2026-54259 security advisory.

CVE-2026-54260: Denial of service via unbounded filter specs in the image preview¶

This release addresses a potential denial-of-service attack on the image preview endpoint. An authenticated admin user could trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation.

Many thanks to 0x1saac for reporting this issue. For further details, please see the CVE-2026-54260 security advisory.

CVE-2026-54261: Improper permission handling in image preview¶

This release addresses a faulty permission check in the image preview endpoint. A user with access to the Wagtail admin could preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Many thanks to 0x1saac and Harsh Akshit for reporting this issue. For further details, please see the CVE-2026-54261 security advisory.

CVE-2026-54262: Pages translations can be created without page permissions when using simple_translation¶

This release addresses a faulty permission check in the simple_translation app. A low-level user with the “Can submit translation” permission could create translations for any page, including those they do not have permissions for.

Many thanks to Devansh Bordia and alanturing881 for reporting this issue. For further details, please see the CVE-2026-54262 security advisory.

CVE-2026-54263: Reflected XSS in dynamic image URL generator view¶

This release addresses a reflected cross-site scripting (XSS) vulnerability on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user’s credentials.

Many thanks to Thibaud Colas for reporting this issue. For further details, please see the CVE-2026-54263 security advisory.

Bug fixes¶

• Prevent spurious migrations when there are missing child blocks in StructBlock.Meta.form_layout (Matthias Brück, Sage Abdullah)

• Prevent error in usage views when using gettext_lazy for a model’s verbose_name (James Biggs)

• Prevent development markdown files from being added to virtual environment root upon installation (Dan Braghis)

• Prevent StreamField blocks referenced multiple times from losing their required state after deferred validation (Sage Abdullah)

Documentation¶

• Add missing return in example views for template components (Tibor Leupold)