Django security releases relevant to Wagtail sites

Today, Django released security patch updates for all of its supported versions. These address an account hijack vulnerability with Django’s password reset form. We strongly recommend you have a look at websites where the password reset form might be in use to confirm whether they are vulnerable or not, and if so, upgrade Django or remove the form.

This vulnerability also affects Wagtail’s password reset form, which is built on top of Django’s own form. All you need to do is upgrade Django to one of the versions released today, which include the fix. No Wagtail upgrade needed.

If upgrading isn’t an option for you, consider disabling password resets in the meantime with the WAGTAIL_PASSWORD_RESET_ENABLED setting.

About

Features

Who uses Wagtail

Wagtail roadmap

Core team

Contact

Accessibility

Sustainability

Developer documentation

Packages

Wagtail User Guide

Try Wagtail

Get Help

FAQs

Wagtail GitHub

Blog

Slack

Newsletter

Wagtail Space

Code of conduct

Wagtail vs Wordpress

Wagtail vs Drupal

Wagtail AI

Localization & translations

Wagtail services

Sponsor a feature