CVE-2026-43948

EIP tracks 1 public exploit for CVE-2026-43948. PoCs published by dwisiswant0.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-43948, a broken access control vulnerability in wger Workout Manager <= 2.5. The exploit demonstrates how an authenticated user with 'manage_gym' permission and no gym assignment can reset any other gym-less user's password and read the new password in plaintext, achieving full account takeover.

wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.