Is Wger affected by CVE-2026-27835?

Organizations using versions should be aware of moderate risk from CVE-2026-27835, a IDOR vulnerability rated CVSS 4.3. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

CVE-2026-27835

MEDIUM

2026-02-26 [email protected]

GHSA-xf68-8hjw-7mpm

4.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Mar 03, 2026 - 20:01 vuln.today

Public exploit code

Patch Released

Mar 03, 2026 - 20:01 nvd

Patch available

CVE Published

Feb 26, 2026 - 22:20 nvd

MEDIUM 4.3

Description

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.

Analysis

Wger versions up to 2.4 expose all users' repetition configuration data to any authenticated attacker due to missing authorization checks in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet endpoints. A registered user can enumerate the complete workout structures of all other users on the platform. …

Remediation

Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +22

POC: +20

CVE-2026-27835 vulnerability details – vuln.today

Back

CVE-2026-27835

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-27835

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code