Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.
Published: 2026-04-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that allows an attacker to execute arbitrary JavaScript in the browsers of any visitor to a maliciously crafted ingredient page
Action: Immediate Patch
AI Analysis

Impact

wger, the open‑source workout manager, stores user‑supplied license information directly into HTML without escaping. An authenticated user can insert a malicious string as the license_author field while creating an ingredient, and the page is rendered using Django’s |safe filter so the injected script runs in the browsers of all viewers, giving the attacker the ability to steal session cookies, deface the site, or launch phishing attacks. This flaw is a classic Stored XSS attack (CWE‑79) that compromises confidentiality, integrity, and availability of the client’s web session.

Affected Systems

The vulnerability exists in the wger application up to version 2.4. All installations running 2.4 or earlier are affected; the released 2.5 version contains the fix and is not vulnerable.

Risk and Exploitability

The CVSS score is 5.1, placing the flaw in the moderate severity range. EPSS data is not available and the issue is not listed in CISA’s KEV catalog, indicating no documented large‑scale exploitation. The attack requires only an authenticated user with the ability to create ingredients – a common role on most installations – and the injected script will execute in every browser that accesses the compromised ingredient, making the risk significant for shared instances.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wger application to version 2.5 or later to apply the fix that removes the unescaped license attribution logic.
  • If an upgrade cannot be applied immediately, sanitize the license_author input by escaping all HTML special characters before storage and avoid using the |safe filter when rendering the attribution link.
  • Restrict ingredient creation permissions so that only trusted or privileged users can add new ingredients, thereby reducing the potential attack surface.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6f54-qjvm-wwq3 wger has Stored XSS via Unescaped License Attribution Fields
History

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wger
Wger wger
CPEs cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*
Vendors & Products Wger
Wger wger
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Wger-project
Wger-project wger
Vendors & Products Wger-project
Wger-project wger

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.
Title wger: Stored XSS via Unescaped License Attribution Fields
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wger Wger
Wger-project Wger
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:17:52.305Z

Reserved: 2026-04-10T22:50:01.359Z

Link: CVE-2026-40353

cve-icon Vulnrichment

Updated: 2026-04-20T16:17:41.969Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:33.077

Modified: 2026-04-24T14:46:04.933

Link: CVE-2026-40353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses