cbcvebase.
CVE-2026-27839
published 2026-02-26

CVE-2026-27839: wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via…

PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.26%
17.3th percentile
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
wger-projectwger<= 2.4
wgerwger<= 2.4
wgerwger0 – 2.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.