CVE-2026-40474
- EPSS 0.03%
- Veröffentlicht 17.04.2026 21:39:03
- Zuletzt bearbeitet 17.04.2026 22:16:33
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never...
CVE-2026-40353
- EPSS 0.05%
- Veröffentlicht 17.04.2026 21:16:12
- Zuletzt bearbeitet 17.04.2026 22:16:33
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escapi...
CVE-2026-27839
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:07:43
- Zuletzt bearbeitet 03.03.2026 00:49:06
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authen...
CVE-2026-27838
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:04:57
- Zuletzt bearbeitet 03.03.2026 00:50:54
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a vi...
CVE-2026-27835
- EPSS 0.03%
- Veröffentlicht 26.02.2026 22:00:23
- Zuletzt bearbeitet 03.03.2026 20:01:10
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead ...
CVE-2022-2650
- EPSS 0.2%
- Veröffentlicht 24.11.2022 17:15:10
- Zuletzt bearbeitet 21.11.2024 07:01:26
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.