CVE-2026-44201

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

References

• https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6