216.73.216.86

CVE-2026-40474

· Published 17/04/2026 22:16 · Modified 17/04/2026 22:16

Labels: CVE-2026-40474 2026-04-17CVE-2026-40474CWE-284[email protected]

Essential information

Published
17/04/2026 22:16
Modified
17/04/2026 22:16
Author
Creator
CVSS
7.6 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CVSS metrics

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wger / wger cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*
wger / wger cpe:2.3:a:wger:wger:2.5:*:*:*:*:*:*:*

References