CVE-2026-43978
CVE-2026-43978 describes a privilege-escalation in wger prior to version 2.6 where a gym trainer can chain two trainer-login calls to impersonate higher-privileged users (gym manager/general manager). The root cause is a logic error in wger/core/views/user.py: after the first hop, session["traine...