Detections
Analytics

CVE-2026-27838

low

Description

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership check. Commit e964328784e2ee2830a1991d69fadbce86ac9fbf contains a patch for the issue.

References

https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q

https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf

Details

Source: Mitre, NVD

Published: 2026-02-26

Updated: 2026-03-03

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 3.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Severity: Low

EPSS

EPSS: 0.00025