Vulnerability Description
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wger | Wger | < 2.5 |
Related Weaknesses (CWE)
References
- https://github.com/wger-project/wger/releases/tag/2.5Release Notes
- https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3ExploitVendor AdvisoryMitigation
- https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-40353?
CVE-2026-40353 is a vulnerability with a CVSS score of 5.4 (MEDIUM). wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled lice...
How severe is CVE-2026-40353?
CVE-2026-40353 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40353?
Check the references section above for vendor advisories and patch information. Affected products include: Wger Wger.