SB2026042848 - Multiple vulnerabilities in wger



SB2026042848 - Multiple vulnerabilities in wger

Published: April 28, 2026 Updated: May 18, 2026

Security Bulletin ID SB2026042848
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Open redirect (CVE-ID: N/A)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect a victim's browser to an attacker-controlled site and disclose sensitive information.

The vulnerability exists due to url redirection to an untrusted site in the trainer_login view when handling a crafted ?next= parameter. A remote user can send a crafted link to redirect a victim's browser to an attacker-controlled site and disclose sensitive information.

User interaction is required, and exploitation occurs after the trainer successfully enters impersonation mode.


2) Improper Neutralization of Formula Elements in a CSV File (CVE-ID: N/A)

CWE-ID: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code or disclose sensitive information.

The vulnerability exists due to improper neutralization of formula elements in a CSV file in the gym member TSV export endpoint when exporting user profile fields to TSV cells. A remote attacker can store a specially crafted spreadsheet formula in their own first_name or last_name fields to execute arbitrary code or disclose sensitive information.

The issue is triggered when a gym administrator exports the member list and opens the resulting file in a formula-evaluating spreadsheet application; legacy Excel with DDE enabled may allow arbitrary local code execution.


3) Incorrect authorization (CVE-ID: CVE-2026-43948)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to take over other users' accounts and lock them out.

The vulnerability exists due to incorrect authorization in reset_user_password and gym_permissions_user_edit views when handling requests for users whose gym assignment is unset. A remote user can send a request to reset another gym=None user's password to take over other users' accounts and lock them out.

The new plaintext password is returned in the HTML response body, and the issue affects cases where both the requester and target user have gym=None.


Remediation

Install update from vendor's website.