PyPI / wger

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

Modified: 4/15/2026

wger has Stored XSS via Unescaped License Attribution Fields

Modified: 5/5/2026

wger Workout Manager Cross-site Scripting vulnerability

Modified: 11/19/2024

wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager

Modified: 5/14/2026

wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API

Modified: 5/14/2026

wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

Modified: 4/15/2026

wger vulnerable to brute force attempts

Modified: 11/8/2023

wger: cross-tenant password reset and plaintext disclosure via gym=None bypass

Modified: 5/13/2026

wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None

Modified: 5/20/2026

wger has an Uncontrolled Resource Consumption issue

Modified: 5/13/2026

wger: trainer_login open redirect - ?next= parameter not validated against host

Modified: 5/6/2026

wger Workout Manager Cross-Site Request Forgery vulnerability

Modified: 11/19/2024

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

Modified: 4/15/2026

wger has Broken Access Control in Global Gym Configuration Update Endpoint

Modified: 5/5/2026

wger: CSV/TSV formula injection in gym member export (first_name/last_name)

Modified: 5/6/2026

Modified: 6/10/2026

Modified: 6/10/2026