Lucene search
+L

5 matches found

Snyk
Snyk
added 2026/02/27 12:16 a.m.2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the getqueryset function in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet process. An attacker can access other users' workout configuration data by sending authenticat...

5.3CVSS6AI score0.00257EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/26 10:13 p.m.12 views

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

Summary RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Details...

4.3CVSS5.5AI score0.00257EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/02/26 10:0 p.m.6 views

CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

4.3CVSS5.8AI score0.00257EPSS
Exploits1References4
CVE
CVE
added 2026/02/26 10:0 p.m.27 views

CVE-2026-27835

Issue summary. CVE-2026-27835 affects wger (versions up to 2.4). The vulnerable components are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, whose get_queryset() returns all objects (using .all()) instead of filtering by the authenticated user, enabling an authenticated user to enumer...

4.3CVSS5.3AI score0.00257EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.13 views

PT-2026-22203

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4 Description wger is a free, open-source workout and fitness manager. Versions up to and including 2.4 improperly handle user data retrieval. The RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API endpoints...

4.3CVSS5.9AI score0.00257EPSS
Exploits1References13
Rows per page
Query Builder