Lucene search
K

5 matches found

RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.4 views

CVE-2026-40474

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permissionrequired = 'config.changegymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/17 9:39 p.m.4 views

CVE-2026-40474

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permissionrequired = 'config.changegymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/04/17 9:39 p.m.18 views

CVE-2026-40474 wger has Broken Access Control in the Global Gym Configuration Update Endpoint

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permissionrequired = 'config.changegymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an...

7.6CVSS0.00333EPSS
Exploits1References3
CVE
CVE
added 2026/04/17 9:39 p.m.10 views

CVE-2026-40474

CVE-2026-40474 - wger : In versions 2.5 and below, GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but uses WgerFormMixin (which enforces ownership checks) instead of the permission-enforcing mixin. Since GymConfig is a singleton without get_owner_object(), the permis...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/16 1:35 a.m.5 views

wger has Broken Access Control in Global Gym Configuration Update Endpoint

Summary wger exposes a global configuration edit endpoint at /config/gym-config/edit implemented by GymConfigUpdateView. The view declares permissionrequired = 'config.changegymconfig' but does not enforce it because it inherits WgerFormMixin ownership-only checks instead of the project’s...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder