SB2026042848 - Multiple vulnerabilities in wger
Published: April 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Open redirect (CVE-ID: N/A)
The vulnerability allows a remote user to redirect a victim's browser to an attacker-controlled site and disclose sensitive information.
The vulnerability exists due to url redirection to an untrusted site in the trainer_login view when handling a crafted ?next= parameter. A remote user can send a crafted link to redirect a victim's browser to an attacker-controlled site and disclose sensitive information.
User interaction is required, and exploitation occurs after the trainer successfully enters impersonation mode.
2) Improper Neutralization of Formula Elements in a CSV File (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code or disclose sensitive information.
The vulnerability exists due to improper neutralization of formula elements in a CSV file in the gym member TSV export endpoint when exporting user profile fields to TSV cells. A remote attacker can store a specially crafted spreadsheet formula in their own first_name or last_name fields to execute arbitrary code or disclose sensitive information.
The issue is triggered when a gym administrator exports the member list and opens the resulting file in a formula-evaluating spreadsheet application; legacy Excel with DDE enabled may allow arbitrary local code execution.
3) Incorrect authorization (CVE-ID: N/A)
The vulnerability allows a remote user to take over other users' accounts and lock them out.
The vulnerability exists due to incorrect authorization in reset_user_password and gym_permissions_user_edit views when handling requests for users whose gym assignment is unset. A remote user can send a request to reset another gym=None user's password to take over other users' accounts and lock them out.
The new plaintext password is returned in the HTML response body, and the issue affects cases where both the requester and target user have gym=None.
Remediation
Install update from vendor's website.
References
- https://github.com/wger-project/wger/security/advisories/GHSA-vqv8-j3mj-wjxj
- https://github.com/advisories/GHSA-vqv8-j3mj-wjxj
- https://github.com/wger-project/wger/security/advisories/GHSA-xq9m-hmp9-fw87
- https://github.com/advisories/GHSA-xq9m-hmp9-fw87
- https://github.com/wger-project/wger/security/advisories/GHSA-mhc8-p3jx-84mm
- https://github.com/advisories/GHSA-mhc8-p3jx-84mm