cbcvebase.
CVE-2026-27838
published 2026-02-26

CVE-2026-27838: wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up…

PriorityP415low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.24%
15.6th percentile
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
wger-projectwger<= 2.4
wgerwger<= 2.4
wgerwger0 – 2.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.