VYPR
Vendor

Wger Project

Products
2
CVEs
8
Across products
8
Status
Private

Products

2

Recent CVEs

8
  • CVE-2026-43948CriMay 12, 2026
    risk 0.64cvss 9.9epss 0.00

    wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the…

  • CVE-2026-43978higMay 14, 2026
    risk 0.45cvss epss 0.00

    ### Summary A gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag `trainer.identity`…

  • CVE-2026-43977higMay 14, 2026
    risk 0.45cvss epss 0.00

    ### Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The RoutinePermission class grants read access to any authenticated user…

  • CVE-2026-40474HigApr 17, 2026
    risk 0.42cvss 7.6epss 0.00

    wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since…

  • CVE-2026-40353MedApr 17, 2026
    risk 0.28cvss 5.4epss 0.00

    wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the…

  • CVE-2026-27839Feb 26, 2026
    risk 0.00cvss epss 0.00

    wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read…

  • CVE-2026-27838Feb 26, 2026
    risk 0.00cvss epss 0.00

    wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously…

  • CVE-2026-27835Feb 26, 2026
    risk 0.00cvss epss 0.00

    wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the…