pkg:PyPI/wger

All known vulnerabilities

• CRITICAL9.9CVE-2026-43948wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
  from 0, < 2.6
• CRITICAL9.8CVE-2022-2650wger vulnerable to brute force attempts
  from 0, < 2.2
• HIGH8.8CVE-2023-38759wger Workout Manager Cross-Site Request Forgery vulnerability
  from 0, <= 2.2.0a3
• HIGH8.8CVE-2023-38759wger Workout Manager Cross-Site Request Forgery vulnerability
  from 0
• HIGH8.1CVE-2026-43978wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
  from 0, <= 2.5
• HIGH7.6CVE-2026-40474wger has Broken Access Control in Global Gym Configuration Update Endpoint
  from 0, <= 2.1
• HIGH7.5CVE-2026-43977wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
  from 0, <= 2.5
• MEDIUM5.4CVE-2026-40353wger has Stored XSS via Unescaped License Attribution Fields
  from 0, <= 2.4
• MEDIUM5.4CVE-2023-38758wger Workout Manager Cross-site Scripting vulnerability
  from 0
• MEDIUM5.4CVE-2023-38758wger Workout Manager Cross-site Scripting vulnerability
  from 0, <= 2.2.0a3
• MEDIUM4.3CVE-2026-27839wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
  from 0, <= 2.1
• MEDIUM4.3CVE-2026-27835wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
  from 0, <= 2.1
• LOW3.1CVE-2026-27838wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
  from 0, <= 2.1