Skip to content

Wagtail

Productivity & Wikis

An open‑source Django‑based content management system focused on author experience and flexible front‑end control

Track releases GitHub Website
Python Latest v7.4.1 · 15d ago Security brief →

Features

  • Fast, attractive admin interface for authors
  • Full control over front‑end design and structure
  • Scales to millions of pages and thousands of editors
  • Built‑in Content API for headless ‘decoupled’ sites
  • Powerful search with Elasticsearch or PostgreSQL

Recent releases

View all 15 releases →
No immediate action
v7.4.1 Bugfix

Missing file restored

Open
v7.4 Breaking risk
⚠ Upgrade required
  • Django version must be >=4.3 (Django 4.2 support removed)
  • Project template Dockerfile now builds dependencies in a separate stage
  • Node.js upgraded to active LTS version 24 with Jest, Storybook, and ESLint updates
Breaking changes
  • Removed support for Django 4.2
Security fixes
  • CVE-2026-44197: Improper permission handling when comparing revisions
  • CVE-2026-44198: Improper permission handling when viewing page history
  • CVE-2026-44199: Improper permission handling when deleting form submissions
Notable features
  • Added `is_deferred_validation` flag to skip custom validation when saving drafts
  • Added `include_root` parameter to admin pages API endpoint
  • Added Flourish and Heyzine oEmbeds support
Full changelog
  • Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
  • Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
  • Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
  • Add support for Flourish oEmbeds (Garrett Coakley)
  • Add support for Heyzine oEmbeds (Baptiste Darthenay)
  • Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
  • Various user experience improvements to autosave and concurrent editing notifications (Sage Abdullah)
  • Allow validation of required StreamField blocks to be deferred on saving drafts (Sage Abdullah)
  • Add WAGTAILDOCS_MAX_UPLOAD_SIZE setting for specifying maximum document file size (Om Harsh)
  • Set the project template WAGTAILDOCS_MAX_UPLOAD_SIZE to 10MB (Thibaud Colas)
  • Optimize combining of querysets in site history report (Alex Bridge)
  • Add more informative error for format-* operations on SVG images (Ankit Kumar)
  • Store preview data in new FormState model to improve compatibility with cookie-based sessions (Sage Abdullah)
  • Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
  • Add WAGTAILADMIN_PAGE_SEARCH_FILTER_BY_PERMISSIONS setting to disable permission filtering on page searches (Matt Westcott)
  • Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
  • Add new content check empty-meta-description to validate meta description tags are not empty (Thibaud Colas)
  • Add extractMetrics method to PreviewController to retrieve content metrics from the preview panel (Thibaud Colas)
  • Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
  • Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
  • Upgrade modelsearch to 1.3 (Matt Westcott)
  • Implement checker error highlights within the preview panel (Thibaud Colas)
  • Add routablefullpageurl template tag (Pravin Kamble)
  • Add support for customizing page explorer views per page type using PageViewSet (Sage Abdullah)
  • Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)
  • Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Fix: Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
  • Fix: Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
  • Fix: Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
  • Fix: Set verbose_name_plural for Query model in search promotions app (Saptami)
  • Fix: Truncate overly long task names in workflow admin view (Gaurav Takhi)
  • Fix: Hide "Add child page" button when no child pages can be created as per max_count or max_count_per_parent (Lasse Schmieding)
  • Fix: Prevent multiple child pages with max_count_per_parent being moved under one parent (James Biggs)
  • Fix: Use POST instead of DELETE in Cloudflare Frontend Cache Backend (Tom Usher)
  • Fix: Handle null values for title, author name or provider name in OEmbed responses (Baptiste Darthenay)
  • Fix: Preserve original data types from ChoiceBlock choices in block values (Devarshi Mani Tripathi)
  • Fix: Fix translation sync logic for django-treebeard 5.0.2 (Matt Westcott)
  • Fix: Correctly HTML-escape page title in approval/rejection notification emails (Matt Westcott)
  • Fix: Correctly HTML-escape URL in photo type oembeds (Thibaud Colas)
  • Fix: Ensure user with appropriate permissions can cancel a workflow task (Dan Braghis)
  • Fix: Ensure "submit to workflow" menu item uses the workflow name when creating pages (Sage Abdullah)
  • Fix: Better align page descriptions in add subpage views (Tibor Leupold)
  • Fix: Correctly close the Pages menu panel when clicking sidebar search (Divyansh Mishra)
  • Docs: Add documentation for the filter_spec parameter of ImageRenditionField (Soumya-codr)
  • Docs: Add guide for testing document upload forms (Wenli Tsai, Bhavesh Sharma)
  • Docs: Document the nested_default_fields attribute on API viewsets (Deepanshu Tevathiya)
  • Docs: Replace http with https in example URLs (Kunal Gupta)
  • Docs: Use pathlib.Path for settings in "Integrating into Django" documentation (Kunal Gupta)
  • Docs: Clarify example of how to implement custom embed finders (Naman Sharma S)
  • Docs: Add documentation for using the ReferenceIndex API (Saptami)
  • Docs: Retitle documentation page for settings contrib module to "Settings models" (Karl Hobley)
  • Docs: Fix typos and minor grammar issues (Kunal Gupta)
  • Docs: Correct references to macOS and POSIX shell in tutorial (Ankit Kumar)
  • Docs: Add PowerShell setup instructions to tutorial and correct method versus property terminology (Mustansir Dabhiya)
  • Docs: Fix ordering of image rendition documentation (Seb Corbin)
  • Docs: Remove references to now-addressed Django accessibility issues (Nirmal Kumar)
  • Docs: Add content personalization how-to guide (Thibaud Colas)
  • Docs: Add new package maintenance guidelines (Thibaud Colas)
  • Docs: Fix use of format_html in insert_global_admin_js example (Lasse Schmieding)
  • Docs: Mention front-end component names in Sphinx docs for discoverability (Aditya Kammati)
  • Docs: Clarify the icon template tag is only for admin views (Aditya Kammati)
  • Docs: Add documentation for generic published and unpublished signals (Kunal Hemnani)
  • Docs: Improve organization of signals reference docs (Sage Abdullah)
  • Docs: Add documentation for overriding the default user avatar image (Aviral Sapra)
  • Docs: Document how list_export in reports accepts a dotted path for nested attribute resolution (mikko2577)
  • Docs: Update audit log actions docs to cover all currently-logged actions (Thibaud Colas)
  • Docs: Document more approaches to mitigating untrusted file uploads when storing and serving documents (Thibaud Colas)
  • Docs: Clarify default value for for WAGTAILDOCS_SERVE_METHOD (Thibaud Colas)
  • Docs: Document security reporting policy about runtime vs. development dependencies (Thibaud Colas)
  • Docs: Add reference documentation for wagtail.admin.ui.tables (Sage Abdullah)
  • Maintenance: Removed support for Django 4.2
  • Maintenance: Fix LocaleController test failures caused by differing timezone representations between Node versions (Saptami, Matt Westcott)
  • Maintenance: Fix frontend coverage upload to Codecov (Sage Abdullah)
  • Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)
  • Maintenance: Fix hash_filelike test case to account for line break differences on Windows (Mustansir Dabhiya)
  • Maintenance: Fix temporary file handling in redirect import tests on Windows (Mustansir Dabhiya)
  • Maintenance: Fix use of platform-specific date formatting in edit handler tests (Mustansir Dabhiya)
  • Maintenance: Bump Node.js to 24 (active LTS), upgrade Jest and Storybook (Sage Abdullah)
  • Maintenance: Use Docker Elasticsearch images for GitHub CI instead of unofficial actions (Matt Westcott)
  • Maintenance: Make LocaleController tests robust against changes to timezone data in Node (Sage Abdullah)
  • Maintenance: Fix PermissionError on document serve tests under Windows (Matt Westcott)
  • Maintenance: Update JavaScript linting to ESLint 9, with updated linting rules and related fixes (Sage Abdullah)
  • Maintenance: Replace Puppeteer with Playwright for integration tests (Sage Abdullah)
  • Maintenance: Upgrade to latest Sass with changes for deprecated if syntax (Sage Abdullah)
  • Maintenance: Add explicit timeout-minutes to GitHub Actions workflow jobs (Ashutosh)
  • Maintenance: Upgrade Python tooling, testing, and docs dependencies (Sage Abdullah)
  • Maintenance: Support skipping transaction unit tests with a tag (Sage Abdullah)
  • Maintenance: Remove unreachable code in wagtail.py (Oluwagbeminiyi Agbedejobi)
  • Maintenance: Upgrade django-treebeard dependency to 4.8-5.x (Samir Shah)
  • Maintenance: Clean up JSDoc & ordering of values in SwapController (LB (Ben Johnston))
  • Maintenance: Refactor accessibility checker code to use generic content checker terminology (Thibaud Colas)
  • Maintenance: Upgrade BeautifulSoup dependency to >=4.13.3 (Matt Westcott)
  • Maintenance: Make sphinx_llms.txt extension optional when building docs (Sage Abdullah)
  • Maintenance: Refactor handling of invalid form submissions in choosers (Sage Abdullah)
  • Maintenance: Switch StreamField block rendering to use w-block- prefixes for block type class names (Kalash Kumari Thakur)
  • Maintenance: Upgrade CodeQL security scanning to cover more parts of the codebase (Thibaud Colas)
  • Maintenance: Upgrade django-modelcluster to 6.5 to fix issues with duplicated inline children (Alex Tomkins, Matt Westcott)
View release on GitHub
v7.3.2 Security relevant
Security fixes
  • Improper permission handling when comparing revisions (CVE not provided)
  • Improper permission handling when viewing page history (CVE not provided)
  • Improper permission handling when deleting form submissions (CVE not provided)
Full changelog
  • Security fix: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Security fix: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Security fix: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Security fix: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Security fix: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: Use protocol-relative URLs in the userbar for compatibility with environments where Django does not detect the protocol (Sage Abdullah)
  • Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
  • Fix: Avoid creating a new editing session when updating UI elements after an autosave (Sage Abdullah)
  • Fix: Group audit log entries for autosave operations in page history view (Sage Abdullah)
  • Fix: Retain page explorer header buttons when searching or filtering (Sage Abdullah)
  • Fix: Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
  • Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
  • Fix: Pause SessionController pings during autosave to prevent conflict notification with own session (Sage Abdullah)
  • Fix: Ensure live preview does not get stuck when edits occur during an in-progress update (Aniket Singh)
  • Fix: Ensure only one autosave request can happen at a time to prevent incorrect conflict notifications with the current session (Sage Abdullah)
  • Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)
View release on GitHub
v7.0.7 Security relevant
Security fixes
  • Improper permission handling when comparing revisions
  • Improper permission handling when viewing page history
  • Improper permission handling when deleting form submissions
Full changelog
  • Security fix: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
  • Security fix: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
  • Security fix: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
  • Security fix: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
  • Security fix: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
  • Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
  • Fix: Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
  • Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
  • Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)
View release on GitHub
v7.3.1 Security relevant
Security fixes
  • CVE-2026-28222 — Improper escaping of HTML in TableBlock class attributes (Cross‑site Scripting).
  • CVE-2026-28223 — Improper escaping of HTML in simple_translation admin interface (Cross‑site Scripting).
Full changelog
  • Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
  • Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
  • Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
  • Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
  • Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
  • Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
  • Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
  • Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
20,336
Forks
4,527
Languages
Python JavaScript TypeScript
View on GitHub Homepage Documentation

Install & Platforms

Install via
pip

Community & Support

Slack Community

Similar tools

django-wiki
REDAXO
docs
Django-CRM
Joomla!

Beta — feedback welcome: [email protected]