HIGH
wger-project
CVE published 2026-07-16
CVE-2026-43978
A vulnerability in wger, a free, open-source workout and fitness manager, allows a gym trainer to escalate their session to any higher-privileged account by chaining two calls to the trainer-login endpoint. This grants full gym administration capabilities. The vulnerability has been fixed in version 2.6. Users of wger versions prior to 2.6, particularly gym administrators and trainers, should be aware of [truncated]