### [CVE-2024-39317](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39317)
![](https://img.shields.io/static/v1?label=Product&message=wagtail&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%202.0%2C%20%3C%205.2.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%206.0%2C%20%3C%206.0.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%206.1%2C%20%3C%206.1.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1333%3A%20Inefficient%20Regular%20Expression%20Complexity&color=brightgreen)

### Description

Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds