{"api_version":"1","generated_at":"2026-07-03T21:18:39+00:00","cve":"CVE-2026-54262","urls":{"html":"https://cve.report/CVE-2026-54262","api":"https://cve.report/api/cve/CVE-2026-54262.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-54262","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-54262"},"summary":{"title":"Wagtail: Pages translations can be created without page permissions when using simple_translation","description":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-01 22:16:49","updated_at":"2026-07-02 19:29:35"},"problem_types":["CWE-280","CWE-280 CWE-280: Improper Handling of Insufficient Permissions or Privileges"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c","name":"https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-54262","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54262","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wagtail","product":"wagtail","version":"affected < 7.0.8","platforms":[]},{"source":"CNA","vendor":"wagtail","product":"wagtail","version":"affected >= 7.1.0, < 7.3.3","platforms":[]},{"source":"CNA","vendor":"wagtail","product":"wagtail","version":"affected >= 7.4.0, < 7.4.2","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"54262","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"torchbox","cpe5":"wagtail","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"54262","cve":"CVE-2026-54262","epss":"0.001620000","percentile":"0.057190000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:10"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-54262","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-02T12:42:05.464782Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-02T12:42:13.452Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"wagtail","vendor":"wagtail","versions":[{"status":"affected","version":"< 7.0.8"},{"status":"affected","version":">= 7.1.0, < 7.3.3"},{"status":"affected","version":">= 7.4.0, < 7.4.2"}]}],"descriptions":[{"lang":"en","value":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-280","description":"CWE-280: Improper Handling of Insufficient Permissions or Privileges","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-01T21:11:27.671Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c","tags":["x_refsource_CONFIRM"],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c"}],"source":{"advisory":"GHSA-8634-mr4j-r72c","discovery":"UNKNOWN"},"title":"Wagtail: Pages translations can be created without page permissions when using simple_translation"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-54262","datePublished":"2026-07-01T21:11:27.671Z","dateReserved":"2026-06-12T17:13:32.279Z","dateUpdated":"2026-07-02T12:42:13.452Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-01 22:16:49","lastModifiedDate":"2026-07-02 19:29:35","problem_types":["CWE-280","CWE-280 CWE-280: Improper Handling of Insufficient Permissions or Privileges"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-02T12:42:05.464782Z","id":"CVE-2026-54262","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.8","matchCriteriaId":"CF370D50-0940-40D5-BE8D-BDFCADCFA19B"},{"vulnerable":true,"criteria":"cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*","versionStartIncluding":"7.1","versionEndExcluding":"7.3.3","matchCriteriaId":"A0449BE9-8773-411D-8EA6-D3AB463B7176"},{"vulnerable":true,"criteria":"cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*","versionStartIncluding":"7.4","versionEndExcluding":"7.4.2","matchCriteriaId":"FD242BAD-6905-401E-9AD5-A39E992DB9E1"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"54262","Ordinal":"1","Title":"Wagtail: Pages translations can be created without page permissi","CVE":"CVE-2026-54262","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"54262","Ordinal":"1","NoteData":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","Type":"Description","Title":"Wagtail: Pages translations can be created without page permissi"}]}}}