{"id":"CVE-2021-29434","details":"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).","aliases":["GHSA-wq5h-f9p5-q7fx","PYSEC-2021-114"],"modified":"2026-04-10T04:31:58.299399Z","published":"2021-04-19T19:15:17.610Z","related":["GHSA-wq5h-f9p5-q7fx"],"references":[{"type":"ADVISORY","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"},{"type":"PACKAGE","url":"https://pypi.org/project/wagtail/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wagtail/wagtail","events":[{"introduced":"0"},{"fixed":"4ddfb4809663655bbaae66d0bf6152c5033c738b"},{"introduced":"0"},{"fixed":"904b54804cbb81a91944101f6b2965359134f5b4"},{"introduced":"0"},{"fixed":"b34d48297e737b5ebbe2d7f3d3af3fa6b527487f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.6"},{"introduced":"2.11.0"},{"fixed":"2.11.7"},{"introduced":"2.12.0"},{"fixed":"2.12.4"}]}}],"versions":["v0.1","v0.2","v0.4","v0.5","v0.6","v0.7","v0.8","v0.8.1","v1.0b2","v1.0rc1","v1.10rc1","v1.1rc1","v1.2rc1","v1.3rc1","v1.4rc1","v1.5rc1","v1.6rc1","v1.8rc1","v2.11","v2.11.1","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.rc1","v2.12","v2.12.1","v2.12.2","v2.12.3","v2.12rc1","v2.2rc1","v2.8rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29434.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}