CVE-2026-43948 critical 9.9
9.9
15d ago
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
python
CVE-2026-43978 high —
8.0
13d ago
wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
python
CVE-2026-43977 high —
8.0
13d ago
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
python
CVE-2026-40353 unknown —
—
1mo ago
wger has Stored XSS via Unescaped License Attribution Fields
python
CVE-2026-40474 unknown —
—
1mo ago
wger has Broken Access Control in Global Gym Configuration Update Endpoint
python
CVE-2026-27839 unknown —
—
3mo ago
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
python
CVE-2026-27838 unknown —
—
3mo ago
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
python
CVE-2026-27835 unknown —
—
3mo ago
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
python
CVE-2023-38759 unknown —
—
3y ago
Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templ…
python
CVE-2023-38758 unknown —
—
3y ago
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the license_author field in the add-ingredient function in the templa…
python
CVE-2022-2650 unknown —
—
4y ago
wger vulnerable to brute force attempts
python