CVE-2026-27839

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4

Description wger is a free, open-source workout and fitness manager. An issue exists where three nutritional values action endpoints bypass user-scoped querysets via a raw ORM call, specifically Model.objects.get(pk=pk). This allows any authenticated user to access another user's private nutrition plan data, including caloric intake and macro breakdown, by providing an arbitrary primary key (pk). The issue was addressed in commit 29876a1954fe959e4b58ef070170e81703dab60e.

Recommendations Update to a version later than 2.4.