CVE-2026-40353 | THREATINT

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.

PUBLISHED Reserved 2026-04-10 | Published 2026-04-17 | Updated 2026-04-20 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 2.5

affected

References

github.com/...t/wger/security/advisories/GHSA-6f54-qjvm-wwq3 exploit

github.com/...t/wger/security/advisories/GHSA-6f54-qjvm-wwq3

github.com/wger-project/wger/releases/tag/2.5

cve.org (CVE-2026-40353)

nvd.nist.gov (CVE-2026-40353)

Download JSON