cbcvebase.

Wger-Project Wger vulnerabilities

6 known vulnerabilities affecting wger-project/wger.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM3LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-43948P2CRITICALCVSS 9.9fixed in 2.62026-05-12
CVE-2026-43948 [CRITICAL] CWE-863 CVE-2026-43948: wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and g wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None)
nvd
CVE-2026-40474P3HIGHCVSS 7.6fixed in 2.52026-04-17
CVE-2026-40474 [HIGH] CWE-284 CVE-2026-40474: wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpd wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the
nvd
CVE-2026-40353P4MEDIUMCVSS 5.4fixed in 2.52026-04-17
CVE-2026-40353 [MEDIUM] CWE-79 CVE-2026-40353: wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_ wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an i
nvd
CVE-2026-27839P4MEDIUMCVSS 4.3≤ 2.42026-02-26
CVE-2026-27839 [MEDIUM] CWE-639 CVE-2026-27839: wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full ma
nvd
CVE-2026-27835P4MEDIUMCVSS 4.3≤ 2.42026-02-26
CVE-2026-27835 [MEDIUM] CWE-639 CVE-2026-27835: wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `Repet wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout
nvd
CVE-2026-27838P4LOWCVSS 3.5≤ 2.42026-02-26
CVE-2026-27838 [LOW] CWE-639 CVE-2026-27838: wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for
nvd
Wger-Project Wger vulnerabilities | cvebase