Security: wger-project/wger
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Uncontrolled Resource Consumption in wgerGHSA-v25j-wqcw-fvhj published
May 8, 2026 by rolandgeiderModerate -
IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine APIGHSA-cj9g-27ph-4cgv published
May 14, 2026 by rolandgeiderHigh -
Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym managerGHSA-9qpr-vc49-hqg2 published
May 14, 2026 by rolandgeiderHigh -
wger: trainer_login open redirect - ?next= parameter not validated against hostGHSA-vqv8-j3mj-wjxj published
Apr 28, 2026 by rolandgeiderModerate -
wger: CSV/TSV formula injection in gym member export (first_name/last_name)GHSA-xq9m-hmp9-fw87 published
Apr 28, 2026 by rolandgeiderHigh -
wger: cross-tenant password reset and plaintext disclosure via gym=None bypassGHSA-mhc8-p3jx-84mm published
Apr 28, 2026 by rolandgeiderCritical -
Stored XSS via Unescaped License Attribution FieldsGHSA-6f54-qjvm-wwq3 published
Apr 15, 2026 by rolandgeiderHigh -
Broken Access Control in Global Gym Configuration Update EndpointGHSA-xppv-4jrx-qf8m published
Apr 15, 2026 by rolandgeiderHigh -
IDOR via user-unscoped cache keys on routine API actions exposes workout dataGHSA-42cr-w2gr-m54q published
Feb 26, 2026 by rolandgeiderLow