2 matches found
CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...
CVE-2026-27838
creationtimestamp| type| source ---|---|--- 2026-02-26 14:40:58+00:00| published-proof-of-concept| https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q 2026-02-27 06:10:18+00:00| seen| https://gist.github.com/alon710/87a9eaadd5362fd30512683dd9901643...