{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40353", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.359Z", "datePublished": "2026-04-17T21:16:12.401Z", "dateUpdated": "2026-04-20T16:17:52.305Z"}, "containers": {"cna": {"title": "wger: Stored XSS via Unescaped License Attribution Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3"}, {"name": "https://github.com/wger-project/wger/releases/tag/2.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/wger-project/wger/releases/tag/2.5"}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"version": "< 2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:16:12.401Z"}, "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5."}], "source": {"advisory": "GHSA-6f54-qjvm-wwq3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:17:47.270194Z", "id": "CVE-2026-40353", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:17:52.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40353", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:17:47.270194Z"}}}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:17:41.969Z"}}], "cna": {"title": "wger: Stored XSS via Unescaped License Attribution Fields", "source": {"advisory": "GHSA-6f54-qjvm-wwq3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "wger-project", "product": "wger", "versions": [{"status": "affected", "version": "< 2.5"}]}], "references": [{"url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3", "name": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wger-project/wger/releases/tag/2.5", "name": "https://github.com/wger-project/wger/releases/tag/2.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:16:12.401Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40353", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:17:52.305Z", "dateReserved": "2026-04-10T22:50:01.359Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:16:12.401Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*", "matchCriteriaId": "7674E242-4B20-48B6-95C2-118E1DD4D29B", "versionEndExcluding": "2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5."}], "id": "CVE-2026-40353", "lastModified": "2026-04-24T14:46:04.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:33.077", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wger-project/wger/releases/tag/2.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wger", "source": "cna", "vendor": "wger-project"}, "product": "wger", "vendor": "wger-project"}], "analysis": {"en": {"generated_at": "2026-04-18T17:05:10.464759+00:00", "value": {"mitigation_remediation": ["Upgrade the wger application to version 2.5 or later to apply the fix that removes the unescaped license attribution logic.", "If an upgrade cannot be applied immediately, sanitize the license_author input by escaping all HTML special characters before storage and avoid using the |safe filter when rendering the attribution link.", "Restrict ingredient creation permissions so that only trusted or privileged users can add new ingredients, thereby reducing the potential attack surface."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS that allows an attacker to execute arbitrary JavaScript in the browsers of any visitor to a maliciously crafted ingredient page"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the wger application up to version 2.4. All installations running 2.4 or earlier are affected; the released 2.5 version contains the fix and is not vulnerable.", "description_and_impact": "wger, the open\u2011source workout manager, stores user\u2011supplied license information directly into HTML without escaping. An authenticated user can insert a malicious string as the license_author field while creating an ingredient, and the page is rendered using Django\u2019s |safe filter so the injected script runs in the browsers of all viewers, giving the attacker the ability to steal session cookies, deface the site, or launch phishing attacks. This flaw is a classic Stored XSS attack (CWE\u201179) that compromises confidentiality, integrity, and availability of the client\u2019s web session.", "risk_and_exploitability": "The CVSS score is 5.1, placing the flaw in the moderate severity range. EPSS data is not available and the issue is not listed in CISA\u2019s KEV catalog, indicating no documented large\u2011scale exploitation. The attack requires only an authenticated user with the ability to create ingredients \u2013 a common role on most installations \u2013 and the injected script will execute in every browser that accesses the compromised ingredient, making the risk significant for shared instances."}}}}, "created": "2026-04-17T22:30:29.499694+00:00", "updated": "2026-04-18T17:15:05.777866+00:00", "vendors": ["wger-project", "wger-project$PRODUCT$wger"]}