FKIE_CVE-2026-27835

Vulnerability from fkie_nvd - Published: 2026-02-26 22:20 - Updated: 2026-02-27 14:06
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.
References
security-advisories@github.comhttps://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64
security-advisories@github.comhttps://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users\u0027 repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user\u0027s workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue."
    },
    {
      "lang": "es",
      "value": "wger es un gestor de entrenamientos y fitness gratuito y de c\u00f3digo abierto. En versiones hasta la 2.4 inclusive, \u0027RepetitionsConfigViewSet\u0027 y \u0027MaxRepetitionsConfigViewSet\u0027 devuelven los datos de configuraci\u00f3n de repeticiones de todos los usuarios porque su \u0027get_queryset()\u0027 llama a \u0027.all()\u0027 en lugar de filtrar por el usuario autenticado. Cualquier usuario registrado puede enumerar la estructura de entrenamiento de cualquier otro usuario. El commit 1fda5690b35706bb137850c8a084ec6a13317b64 contiene una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2026-27835",
  "lastModified": "2026-02-27T14:06:37.987",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T22:20:49.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.