cbcvebase.
CVE-2026-40474
published 2026-04-17

CVE-2026-40474: wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required =…

PriorityP350high7.6CVSS 3.1
AVNACLPRLUINSUCLIHAL
EPSS
0.33%
25.1th percentile
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

Affected

3 ranges
VendorProductVersion rangeFixed in
wger-projectwger< 2.52.5
wgerwger< 2.52.5
wgerwger0 – 2.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.