| CVE-2026-43948 |
critical |
9.9 |
9.9 |
|
|
|
22d ago |
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass |
| CVE-2026-43978 |
high |
— |
8.0 |
|
|
|
21d ago |
wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager |
| CVE-2026-43977 |
high |
— |
8.0 |
|
|
|
21d ago |
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API |
| CVE-2026-40353 |
unknown |
— |
— |
|
|
|
2mo ago |
wger has Stored XSS via Unescaped License Attribution Fields |
| CVE-2026-40474 |
unknown |
— |
— |
|
|
|
2mo ago |
wger has Broken Access Control in Global Gym Configuration Update Endpoint |
| CVE-2026-27839 |
unknown |
— |
— |
|
|
|
3mo ago |
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup |
| CVE-2026-27838 |
unknown |
— |
— |
|
|
|
3mo ago |
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data |
| CVE-2026-27835 |
unknown |
— |
— |
|
|
|
3mo ago |
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data |
| CVE-2023-38759 |
unknown |
— |
— |
|
|
|
3y ago |
Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templ… |
| CVE-2023-38758 |
unknown |
— |
— |
|
|
|
3y ago |
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the license_author field in the add-ingredient function in the templa… |
| CVE-2022-2650 |
unknown |
— |
— |
|
|
|
4y ago |
wger vulnerable to brute force attempts |
