ContextQMD
Back to Wagtail

Wagtail 7.4 (LTS) release notes

docs/releases/7.4.md

7.4.117.6 KB
Original Source

Wagtail 7.4 (LTS) release notes

May 5, 2026

{contents}
---
local:
depth: 1
---

Wagtail 7.4 is designated a Long Term Support (LTS) release. Long Term Support releases will continue to receive maintenance updates as necessary to address security and data-loss related issues, up until the next LTS release (typically a period of 12 months).

What's new

Autosave UX enhancements

The autosave and concurrent editing notifications features have been improved based on user feedback. The improvements include: better handling of race conditions and network failures, refined messaging and alignment of indicator elements, as well as clearer display of idle users editing the same page.

These improvements were developed by Sage Abdullah, with support from the Wagtail UI team.

Deferred validation for StreamField blocks when saving drafts

StreamField blocks now support deferred validation of required fields when saving drafts of pages (or snippets using DraftStateMixin). Users can now add a StreamField block and save work-in-progress versions without filling in all fields of the block. Validation is applied as normal when the page or snippet is published, scheduled, or submitted to a workflow.

The new behavior is enabled by default, but individual field blocks can opt out by setting the required_on_save option to True. All blocks now also have an {attr}~wagtail.blocks.Block.is_deferred_validation attribute that can be used in custom validation logic to conditionally skip validation when saving drafts. For more details, refer to .

This feature was developed by Sage Abdullah.

The preview feature has been improved to be more compatible with projects that use signed cookies as the sessions backend for Django. Previewing large pages in Wagtail no longer causes the session cookie to exceed the cookie size limit enforced by browsers.

This feature was developed by Sage Abdullah. We would like to thank Personalkollen for their sponsorship of this feature.

Customizable page explorer

The page explorer can now be customized for each page type using the {class}~wagtail.admin.viewsets.pages.PageViewSet. This allows you to add custom columns, filters, and more based on the parent page. The same customizations can also be applied to the flat per-page-type listings. For more details, refer to .

This feature was developed by Sage Abdullah.

Search enhancements

The Django Modelsearch library has been upgraded to version 1.3, bringing enhancements including support for fuzzy search on PostgreSQL, searching and filtering across related fields to any level of nesting, and ranking of results on SQLite.

Content personalization documentation

is a new advanced how-to guide explaining how to meet common content personalization requirements with built-in features, such as combining BlockGroup in StreamField and preview modes to create segmented page sections. This guide was written by Thibaud Colas.

New package maintenance guidelines

The Wagtail documentation now contains a new version of our official package maintenance guidelines, which we recommend for Wagtail and Django projects. Those guidelines are meant as an opinionated starting point to help with creation and long-term maintenance of packages in our ecosystem. They support our official package template, cookiecutter-wagtail-package. This new version of the guide was written by Thibaud Colas.

Content quality checker enhancements

This release includes three enhancements to Wagtail’s content quality checker:

  • Checker issues are now displayed within the preview panel, as annotations.
  • A new SEO-focused empty-meta-description check is enabled by default, to validate meta description tags are not empty.
  • The client-side preview panel editor API now supports a new extractMetrics of PreviewController to retrieve content metrics.

Those enhancements were developed by Thibaud Colas.

Page editor UX

This release includes a number of improvements around the User Experience in the page editor, delivered with support from the Wagtail UI team.

  • Change StreamBlock options so groups are shown in declaration order of their blocks (Darshan Kerkar)
  • Preserve "Collapse all" button state when switching between editor tabs (Raghad Dahi)
  • Refine hover / focus styles for title field’s comment button (Srishti Jaiswal)
  • Preserve mailto and anchor links copy-pasted into rich text fields (Ankit Kumar)
  • Ensure "submit to workflow" menu item uses the workflow name when creating pages (Sage Abdullah)
  • Better align page descriptions in add subpage views (Tibor Leupold)

Independent security audit

Wagtail recently underwent an independent code security audit commissioned by the Interministerial Digital Directorate (DINUM) of France. Check out the audit findings and our action plan. Here are specific changes in this release made in accordance to those findings:

Thank you to the Sites Conformes team at DINUM for supporting the project by commissioning this audit!

CVE-2026-44197: Improper permission handling when comparing revisions

A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.

Many thanks to Seoyoung Kang from AhnLab and an independent security researcher for reporting this issue. For further details, please see security advisory GHSA-c6wj-9vcj-75pj.

CVE-2026-44198: Improper permission handling when viewing page history

A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.

Many thanks to Seoyoung Kang from AhnLab and an independent security researcher for reporting this issue. For further details, please see security advisory GHSA-c4mr-889m-vgf6.

CVE-2026-44199: Improper permission handling when deleting form submissions

A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Many thanks to Vishal Shukla for reporting this issue. For further details, please see security advisory GHSA-pwm3-7fv4-g6xx.

CVE-2026-44200: Improper permission handling when copying pages

A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.

Many thanks to Sanjok Karki and an independent security researcher for reporting this issue. For further details, please see security advisory GHSA-67rv-mg8q-5pf3.

CVE-2026-44201: Improper restriction handling on Documents and Images API

The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.

Many thanks to Sanjok Karki and an independent security researcher for reporting this issue. For further details, please see security advisory GHSA-p5gm-92h4-6pv6.

Other features

  • Add is_deferred_validation flag to support skipping custom validation when saving drafts (Daniel Kirkham)
  • Update project template Dockerfile to build dependencies in a separate stage (Brylie Oxley, Akshat Gupta)
  • Add include_root parameter to admin pages API endpoint (Divyansh Mishra)
  • Add support for Flourish oEmbeds (Garrett Coakley)
  • Add support for Heyzine oEmbeds (Baptiste Darthenay)
  • Allow specifying creation_form_class on ChooserViewSet as a dotted path string (K Adithya)
  • Optimize combining of querysets in site history report (Alex Bridge)
  • Add more informative error for format-* operations on SVG images (Ankit Kumar)
  • Add setting to disable permission filtering on page searches (Matt Westcott)
  • Use choice label when displaying choice fields in SnippetViewSet/ModelViewSet's list_display (Srishti Jaiswal)
  • Add a new routablefullpageurl template tag, supporting full page URLs for routable pages (Pravin Kamble)
  • Enhance page content type usage view with custom listings and ability to create new pages (Sage Abdullah)

Bug fixes

  • Handle nested inline models when displaying object usage information (Sage Abdullah, Kacper Walęga, Tian Jie Wong)
  • Avoid duplicate get_object() DB query in API detail view (Siddheshwar Kadam)
  • Ensure ImageBlock alt text populates on choosing a new image after unchecking decorative state (Pratham Jaiswal)
  • Set verbose_name_plural for Query model in search promotions app (Saptami)
  • Truncate overly long task names in workflow admin view (Gaurav Takhi)
  • Hide "Add child page" button when no child pages can be created as per max_count or max_count_per_parent (Lasse Schmieding)
  • Prevent multiple child pages with max_count_per_parent being moved under one parent (James Biggs)
  • Use POST instead of DELETE in Cloudflare Frontend Cache Backend (Tom Usher)
  • Handle null values for title, author name or provider name in OEmbed responses (Baptiste Darthenay)
  • Preserve original data types from ChoiceBlock choices in block values (Devarshi Mani Tripathi)
  • Fix translation sync logic for django-treebeard 5.0.2 (Matt Westcott)
  • Correctly HTML-escape page title in approval/rejection notification emails (Matt Westcott)
  • Correctly HTML-escape URL in photo type oembeds (Thibaud Colas)
  • Ensure user with appropriate permissions can cancel a workflow task (Dan Braghis)
  • Correctly close the Pages menu panel when clicking sidebar search (Divyansh Mishra)

Documentation

  • Add documentation for the filter_spec parameter of ImageRenditionField (Soumya-codr)
  • Add guide for testing document upload forms (Wenli Tsai, Bhavesh Sharma)
  • Document the nested_default_fields attribute on API viewsets (Deepanshu Tevathiya)
  • Replace http with https in example URLs (Kunal Gupta)
  • Use pathlib.Path for settings in "Integrating into Django" documentation (Kunal Gupta)
  • Clarify example of how to implement custom embed finders (Naman Sharma S)
  • Add documentation for using the ReferenceIndex API (Saptami)
  • Retitle documentation page for settings contrib module to "Settings models" (Karl Hobley)
  • Fix typos and minor grammar issues (Kunal Gupta)
  • Correct references to macOS and POSIX shell in tutorial (Ankit Kumar)
  • Add PowerShell setup instructions to tutorial and correct method versus property terminology (Mustansir Dabhiya)
  • Fix ordering of image rendition documentation (Seb Corbin)
  • Remove references to now-addressed Django accessibility issues (Nirmal Kumar)
  • Fix use of format_html in insert_global_admin_js example (Lasse Schmieding)
  • Mention front-end component names in Sphinx docs for discoverability (Aditya Kammati)
  • Clarify the icon template tag is only for admin views (Aditya Kammati)
  • Add documentation for generic published and unpublished signals (Kunal Hemnani)
  • Improve organization of signals reference docs (Sage Abdullah)
  • Add documentation for overriding the default user avatar image (Aviral Sapra)
  • Document how list_export in reports accepts a dotted path for nested attribute resolution (mikko2577)
  • Add reference documentation for wagtail.admin.ui.tables (Sage Abdullah)

Maintenance

  • Removed support for Django 4.2
  • Fix LocaleController test failures caused by differing timezone representations between Node versions (Saptami, Matt Westcott)
  • Fix frontend coverage upload to Codecov (Sage Abdullah)
  • Update semgrep to 1.150.0 (Pravin Kamble)
  • Fix hash_filelike test case to account for line break differences on Windows (Mustansir Dabhiya)
  • Fix temporary file handling in redirect import tests on Windows (Mustansir Dabhiya)
  • Fix use of platform-specific date formatting in edit handler tests (Mustansir Dabhiya)
  • Bump Node.js to 24 (active LTS), upgrade Jest and Storybook (Sage Abdullah)
  • Use Docker Elasticsearch images for GitHub CI instead of unofficial actions (Matt Westcott)
  • Make LocaleController tests robust against changes to timezone data in Node (Sage Abdullah)
  • Fix PermissionError on document serve tests under Windows (Matt Westcott)
  • Update JavaScript linting to ESLint 9, with updated linting rules and related fixes (Sage Abdullah)
  • Replace Puppeteer with Playwright for integration tests (Sage Abdullah)
  • Upgrade to latest Sass with changes for deprecated if syntax (Sage Abdullah)
  • Add explicit timeout-minutes to GitHub Actions workflow jobs (Ashutosh)
  • Upgrade Python tooling, testing, and docs dependencies (Sage Abdullah)
  • Support skipping transaction unit tests with a tag (Sage Abdullah)
  • Remove unreachable code in wagtail.py (Oluwagbeminiyi Agbedejobi)
  • Upgrade django-treebeard dependency to 4.8-5.x (Samir Shah)
  • Clean up JSDoc & ordering of values in SwapController (LB (Ben Johnston))
  • Refactor accessibility checker code to use generic content checker terminology (Thibaud Colas)
  • Upgrade BeautifulSoup dependency to >=4.13.3 (Matt Westcott)
  • Make sphinx_llms.txt extension optional when building docs (Sage Abdullah)
  • Refactor handling of invalid form submissions in choosers (Sage Abdullah)
  • Switch StreamField block rendering to use w-block- prefixes for block type class names (Kalash Kumari Thakur)
  • Upgrade django-modelcluster to 6.5 to fix issues with duplicated inline children (Alex Tomkins, Matt Westcott)

Upgrade considerations - changes affecting all projects

New StreamField blocks CSS class prefix

StreamField blocks template rendering with include_block now a new w- prefix for CSS class names, such as w-block-my_block_name. For backwards compatibility, this is in addition to the pre-existing block-my_block_name classes. Those legacy classes without the w- prefix will be removed in a future release.

Upgrade considerations - deprecation of old functionality

Removed support for Django 4.2

Django 4.2 is no longer supported as of this release; please upgrade to Django 5.2 or above before upgrading Wagtail.

Upgrade considerations - changes affecting Wagtail customizations

Refactored content checker

The userbar AccessibilityItem has been renamed to {class}~wagtail.admin.userbar.ContentCheckerItem, to better signify its use for all types of content checks. The public API is identical aside from the renaming. Internals have also been renamed to use more appropriate terminology.

Upgrade considerations - changes to undocumented internals

Deprecation of the {% page_header_buttons %} template tag

The undocumented {% page_header_buttons %} template tag and its corresponding wagtailadmin/pages/listing/_page_header_buttons.html template have been deprecated and will be removed in a future release. If you made use of them in your templates, consider using the documented register_page_header_buttons hook, or overriding header_more_buttons and/or header_buttons in your custom page view instead. Alternatively, use the wagtail.admin.ui.menus.pages.get_page_header_buttons function to get the buttons, and render them as template components inside a dropdown menu instead.

Using the {% page_header_buttons %} template tag and its template will continue to work for now, but will raise a deprecation warning.