CVE-2026-40353
MEDIUMwger: Stored XSS via Unescaped License Attribution Fields
Title source: cnaDescription
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3
X_Refsource_Misc x_refsource_misc
https://github.com/wger-project/wger/releases/tag/2.5
Scores
CVSS v3
5.4
EPSS
0.0021
EPSS Percentile
10.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
pypi/wger
0PyPI
wger/wger
< 2.5
wger-project/wger
< 2.5
Published
Apr 17, 2026
Tracked Since
Apr 18, 2026