CVE-2026-27835

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4

Description wger is a free, open-source workout and fitness manager. Versions up to and including 2.4 improperly handle user data retrieval. The RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API endpoints return all users' repetition configuration data because the get queryset() function calls .all() instead of filtering by the authenticated user (user). This allows any registered user to enumerate the workout structure of every other user. The API endpoints involved are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet. The vulnerable function is get queryset().

Recommendations Update to a version later than 2.4.