CRITICAL9.9CVE-2026-43948wger: cross-tenant password reset and plaintext disclosure via gym=None bypass from 0, < 2.6
from 0, < 2.2
HIGH8.8CVE-2023-38759wger Workout Manager Cross-Site Request Forgery vulnerability from 0, <= 2.2.0a3
HIGH8.8wger Workout Manager Cross-Site Request Forgery vulnerability
from 0
HIGH8.1wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
from 0, <= 2.5
HIGH7.6wger has Broken Access Control in Global Gym Configuration Update Endpoint
from 0, <= 2.1
HIGH7.5wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
from 0, <= 2.5
MEDIUM5.4wger has Stored XSS via Unescaped License Attribution Fields
from 0, <= 2.4
MEDIUM5.4wger Workout Manager Cross-site Scripting vulnerability
from 0
MEDIUM5.4wger Workout Manager Cross-site Scripting vulnerability
from 0, <= 2.2.0a3
MEDIUM4.3wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
from 0, <= 2.1
MEDIUM4.3wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
from 0, <= 2.1
LOW3.1wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
from 0, <= 2.1