CVE-2026-27839
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:07:43
- Zuletzt bearbeitet 03.03.2026 00:49:06
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authen...
CVE-2026-27838
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:04:57
- Zuletzt bearbeitet 03.03.2026 00:50:54
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a vi...
CVE-2026-27835
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:00:23
- Zuletzt bearbeitet 03.03.2026 20:01:10
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead ...
CVE-2022-2650
- EPSS 0.2%
- Veröffentlicht 24.11.2022 17:15:10
- Zuletzt bearbeitet 21.11.2024 07:01:26
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.