Build software better, together

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Sibling-unpatched code paths in wger/core/views/user.py retain the same gym=None authorization gap as GHSA-mhc8-p3jx-84mm — cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
GHSA-mw8f-w6p8-xrf4 published May 14, 2026 by rolandgeider

High
Uncontrolled Resource Consumption in wger
GHSA-v25j-wqcw-fvhj published May 8, 2026 by rolandgeider

Moderate
IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
GHSA-cj9g-27ph-4cgv published May 14, 2026 by rolandgeider

High
Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
GHSA-9qpr-vc49-hqg2 published May 14, 2026 by rolandgeider

High
wger: trainer_login open redirect - ?next= parameter not validated against host
GHSA-vqv8-j3mj-wjxj published Apr 28, 2026 by rolandgeider

Moderate
wger: CSV/TSV formula injection in gym member export (first_name/last_name)
GHSA-xq9m-hmp9-fw87 published Apr 28, 2026 by rolandgeider

High
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
GHSA-mhc8-p3jx-84mm published Apr 28, 2026 by rolandgeider

Critical
Stored XSS via Unescaped License Attribution Fields
GHSA-6f54-qjvm-wwq3 published Apr 15, 2026 by rolandgeider

High
Broken Access Control in Global Gym Configuration Update Endpoint
GHSA-xppv-4jrx-qf8m published Apr 15, 2026 by rolandgeider

High
IDOR via user-unscoped cache keys on routine API actions exposes workout data
GHSA-42cr-w2gr-m54q published Feb 26, 2026 by rolandgeider

Low

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Reporting

Security Advisories

Uh oh!

Uh oh!

Security: wger-project/wger

Security Advisories