Share
## https://sploitus.com/exploit?id=PACKETSTORM:218141
Title: Wagtail CMS 6.4.1 Stored Cross-Site Scripting (XSS)
    
    Date: 2026-03-31
    Author: Ibrahim Fatih Inceli, Berat Aksit
    Vendor Homepage: https://wagtail.org/
    Software Link: https://github.com/wagtail/wagtail
    Version: 6.4.1
    CVE: CVE-2026-45388
    PoC: https://github.com/echoBRT/Wagtail-CMS-XSS
    
    Description:
    Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability
    in the document upload functionality. An attacker can embed a malicious payload inside
    a PDF file. When the uploaded document is accessed via the CMS interface, the payload
    may execute in the context of the user.
    
    Technical Details:
    The vulnerability occurs due to insufficient validation and sanitization of uploaded
    document content. Specifically, crafted PDF files containing embedded JavaScript can
    be uploaded and later executed when accessed through the CMS document management interface.
    
    Steps to Reproduce:
    1. Login to Wagtail CMS as a user with document upload permissions.
    2. Upload a crafted PDF file containing JavaScript payload.
    3. Navigate to the Documents section.
    4. Click on the uploaded document.
    5. Observe that the payload executes.
    
    Impact:
    This vulnerability may allow attackers to execute arbitrary JavaScript in the context
    of authenticated users, potentially leading to session hijacking or further compromise.
    
    Vendor Response:
    This issue is disputed by the vendor. According to the vendor, the behavior depends on
    the file serving configuration. When files are served outside of Wagtail (default setup),
    security headers and execution controls depend on the hosting environment (e.g., AWS S3).
    
    Solution:
    Properly configure file serving mechanisms and ensure appropriate security headers
    (e.g., Content-Type, Content-Disposition, CSP) are enforced when serving uploaded files.
    
    Credits:
    Discovered by Ibrahim Fatih Inceli and Berat Aksit
    
    Best Regards.
    
    [cid:479d3baf-bf4d-47bf-81e3-0024f280dd51]