Wger

wger 2.5 and earlier is vulnerable to CVE-2026-43977, an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to read another user's private workout session notes, exercise history, and training statistics by accessing the `/logs/` and `/stats/` actions on a public template routine they do not own.

A vulnerability in wger version 2.5 and earlier allows an attacker with `gym.manage_gym` permission and `gym=None` to reset the password of any other `gym=None` user, disclosing the new password in plaintext and allowing account takeover.

A CSV/TSV injection vulnerability exists in wger <= 2.5, allowing malicious gym members to inject spreadsheet formulas into their profiles, which are then executed when an administrator exports and opens the member list, potentially leading to data exfiltration and remote code execution.