CVE-2026-40353
wger: Stored XSS via Unescaped License Attribution Fields
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.
| CWE | CWE-79 |
| Vendor | wger-project |
| Product | wger |
| Published | Apr 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for wger-project wger
Be the first to know when new unknown vulnerabilities affecting wger-project wger are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
wger-project / wger
< 2.5