CVE-2026-43977 wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template Routine API
wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exis...