Lucene search
+L

91 matches found

ATTACKERKB
ATTACKERKB
added 2026/02/26 10:4 p.m.3 views

CVE-2026-27838

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

3.5CVSS5.7AI score0.00245EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/26 10:4 p.m.3 views

CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

3.1CVSS5.9AI score0.00245EPSS
Exploits1References2
CVE
CVE
added 2026/02/26 10:4 p.m.20 views

CVE-2026-27838

The CVE covers wger (open-source fitness manager) where five routine-detail API endpoints cache responses using keys scoped only by the public primary key (pk). In versions up to 2.4, this allows an attacker to retrieve a cached response for a given pk after a victim has accessed their routine, e...

3.5CVSS5.4AI score0.00245EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/02/26 10:0 p.m.27 views

CVE-2026-27835

Issue summary. CVE-2026-27835 affects wger (versions up to 2.4). The vulnerable components are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, whose get_queryset() returns all objects (using .all()) instead of filtering by the authenticated user, enabling an authenticated user to enumer...

4.3CVSS5.3AI score0.00257EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/02/26 10:0 p.m.26 views

CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

4.3CVSS0.00257EPSS
Exploits1References2
OSV
OSV
added 2026/02/26 10:0 p.m.7 views

CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

4.3CVSS5.8AI score0.00257EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/02/26 12:0 a.m.11 views

wger 安全漏洞

WGER is an open-source project developed by the WGER Team, written in Django, and serves as a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities, which were caused by improper handling of cache key...

3.5CVSS5.8AI score0.00245EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/02/26 12:0 a.m.9 views

wger 安全漏洞

WGER is an open-source project developed by the WGER Team, written in Django, and serves as a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities; these vulnerabilities stemmed from bypassing user-scop...

4.3CVSS5.8AI score0.0026EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.9 views

PT-2026-22204

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4 Description The software contains a flaw where routine detail action endpoints check a cache before verifying object ownership using self.get object. Cache keys are scoped only by the primary key pk and do not includ...

3.5CVSS6AI score0.00245EPSS
Exploits1References13
CNNVD
CNNVD
added 2026/02/26 12:0 a.m.9 views

wger 安全漏洞

WGER is an open-source project developed by the WGER Team, written in Django, and it’s a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities. These vulnerabilities were due to improper filtering of que...

4.3CVSS5.8AI score0.00257EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.15 views

EUVD-2023-0284

Malicious code in bioql PyPI...

8.8CVSS8.4AI score0.00318EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-0283

Malicious code in bioql PyPI...

5.4CVSS5.6AI score0.00467EPSS
Exploits1References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2022-7352

Malicious code in bioql PyPI...

9.8CVSS7.8AI score0.00661EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/05/23 3:29 a.m.7 views

CVE-2023-38759

Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...

8.8CVSS7.3AI score0.00318EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 2:20 a.m.6 views

CVE-2023-38758

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

5.4CVSS6.8AI score0.00467EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/05 9:30 p.m.13 views

CVE-2022-2650

Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2...

9.8CVSS6.7AI score0.00661EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2023/08/08 6:30 p.m.25 views

wger Workout Manager Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

5.4CVSS6.8AI score0.00467EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2023/08/08 6:30 p.m.27 views

wger Workout Manager Cross-Site Request Forgery vulnerability

Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...

8.8CVSS7.3AI score0.00318EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2023/08/08 6:30 p.m.22 views

GHSA-WRW3-QMQW-4X9W wger Workout Manager Cross-Site Request Forgery vulnerability

Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...

8.8CVSS8.9AI score0.00318EPSS
Exploits0References5
OSV
OSV
added 2023/08/08 6:30 p.m.75 views

GHSA-8M9P-3926-GFFR wger Workout Manager Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

5.4CVSS5.4AI score0.00467EPSS
Exploits1References5
Rows per page
Query Builder