3 matches found
CVE-2026-43977
wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exis...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the logs and stats API actions in the RoutineViewSet process. An attacker can access another user's private workout session notes, exercise history, and training statistics by enumerating public template routin...
PT-2026-41136
Name of the Vulnerable Software and Affected Versions wger versions prior to 2.5.0a2 Description An insecure direct object reference IDOR allows any authenticated user to access the private health data of other users. The issue occurs when a user has a routine marked as a public template, which...