CVE-2026-40353

MEDIUM

wger: Stored XSS via Unescaped License Attribution Fields

Title source: cna

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.

References (2)

[X_Refsource_Confirm] https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3

[X_Refsource_Misc] https://github.com/wger-project/wger/releases/tag/2.5

Scores

CVSS v4 5.1

EPSS 0.0002

EPSS Percentile 4.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Details

CWE

CWE-79

Status published

Products (1)

wger-project/wger < 2.5

Published Apr 17, 2026

Tracked Since Apr 18, 2026