XSS in Wger-project Wger

CVE-2026-40353

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) wit…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (2.6th percentile) — read the EPSS interpretation.

Affected products

Wger-project Wger — versions < 2.5

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3 (x_refsource_CONFIRM)
https://github.com/wger-project/wger/releases/tag/2.5 (x_refsource_MISC)