CVE-2026-40353

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.5

Description The attribution link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields without escaping. These fields include license author, license title, license object url, license author url, and license derivative source url. Because templates render the result using the Django |safe filter, which disables auto-escaping, an authenticated user can inject malicious JavaScript into the license author field. This results in stored Cross-Site Scripting (XSS), where the script executes in the browser of any visitor viewing the affected ingredient page. The issue is reachable via the '/en/nutrition/ingredient/add/' endpoint.

Recommendations Update to version 2.5 or newer. As a temporary workaround, restrict access to the license author field in the ingredient creation form to minimize the risk of exploitation.