91 matches found
CVE-2026-27838
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...
CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...
CVE-2026-27838
The CVE covers wger (open-source fitness manager) where five routine-detail API endpoints cache responses using keys scoped only by the public primary key (pk). In versions up to 2.4, this allows an attacker to retrieve a cached response for a given pk after a victim has accessed their routine, e...
CVE-2026-27835
Issue summary. CVE-2026-27835 affects wger (versions up to 2.4). The vulnerable components are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, whose get_queryset() returns all objects (using .all()) instead of filtering by the authenticated user, enabling an authenticated user to enumer...
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...
wger 安全漏洞
WGER is an open-source project developed by the WGER Team, written in Django, and serves as a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities, which were caused by improper handling of cache key...
wger 安全漏洞
WGER is an open-source project developed by the WGER Team, written in Django, and serves as a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities; these vulnerabilities stemmed from bypassing user-scop...
PT-2026-22204
Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4 Description The software contains a flaw where routine detail action endpoints check a cache before verifying object ownership using self.get object. Cache keys are scoped only by the primary key pk and do not includ...
wger 安全漏洞
WGER is an open-source project developed by the WGER Team, written in Django, and it’s a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities. These vulnerabilities were due to improper filtering of que...
EUVD-2023-0284
Malicious code in bioql PyPI...
EUVD-2023-0283
Malicious code in bioql PyPI...
EUVD-2022-7352
Malicious code in bioql PyPI...
CVE-2023-38759
Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...
CVE-2023-38758
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...
CVE-2022-2650
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2...
wger Workout Manager Cross-site Scripting vulnerability
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...
wger Workout Manager Cross-Site Request Forgery vulnerability
Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...
GHSA-WRW3-QMQW-4X9W wger Workout Manager Cross-Site Request Forgery vulnerability
Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...
GHSA-8M9P-3926-GFFR wger Workout Manager Cross-site Scripting vulnerability
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...