Security Advisory

CVE-2026-27835

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-26 22:00:23

Last updated 2026-03-03 01:38:18

Assigner GitHub_M

State PUBLISHED

Description

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other users workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.

← Browse all CVEs View on cve.org ↗