GHSA-CJ9G-27PH-4CGV wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API

Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The RoutinePermission class grants read access to any authenticated user when a routine has...

CVE-2026-27835

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key. An attacker can access another user's workout routine details, including day sequences, exercise structure, training logs, and statistics, by making API requests to endpoints with a...

EUVD-2026-8906

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data...

CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

CVE-2026-27835

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

EUVD-2015-1048

Malware in sbrugna...

MAL-2025-5098 Malicious code in blackspammerbd-workout (PyPI)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-24050

Cross Site Scripting XSS vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php...

CVE-2023-38758

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

CVE-2015-10034

A vulnerability has been found in j-nowak workout-organizer and classified as critical. This vulnerability affects unknown code. The manipulation leads to sql injection. The patch is identified as 13cd6c3d1210640bfdb39872b2bb3597aa991279. It is recommended to apply a patch to fix this issue...

CVE-2024-24050

Cross Site Scripting XSS vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php...

CVE-2024-24050

Cross Site Scripting XSS vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php...

CVE-2024-24050

Concrete details found: CVE-2024-24050 affects Sourcecodester Workout Journal App 1.0. The vulnerability is Cross-Site Scripting (XSS) via the firstname and lastname parameters in /add-user.php, potentially allowing arbitrary code execution. Documented by multiple sources (NVD, Red Hat, CVE List,...

Sourcecodester Workout Journal App 跨站脚本漏洞

Workout Journal App is workout journal application. A security vulnerability exists in version 1.0 of the Sourcecodester Workout Journal App that stems from a cross-site scripting XSS vulnerability in the parameters firstname and lastname in the file /add-user.php...

CVE-2024-24050

Cross Site Scripting XSS vulnerability in Sourcecodester Workout Journal App 1.0 allows attackers to run arbitrary code via parameters firstname and lastname in /add-user.php...

PT-2024-20255 · Sourcecodester · Sourcecodester Workout Journal App

Name of the Vulnerable Software and Affected Versions: Sourcecodester Workout Journal App version 1.0 Description: The issue allows attackers to run arbitrary code via parameters firstname and lastname in the "/add-user.php" API endpoint. This enables attackers to execute arbitrary code,...

GHSA-8M9P-3926-GFFR wger Workout Manager Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the licenseauthor field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components...

CVE-2023-38759

Cross Site Request Forgery CSRF vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/resetuserpassword.html, templates/user/overview.html, core/views/user.py, and...