wagtail is vulnerable to cross-site scripting. Lack of proper check for valid URL allows a malicious user with access to the admin interface to send a malicious POST request to publish content with javascript: URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
github.com/wagtail/wagtail/blob/1069e2b44a44b0c5f692041d42c2b44fcf15f19e/docs/releases/2.12.4.rst
github.com/wagtail/wagtail/blob/fec40b211bd99ce93caec0b0669e7c7d3aa2e27c/docs/releases/2.11.7.rst
github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4
github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c
github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
pypi.org/project/wagtail/