CVE-2026-40353

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.

References

• https://github.com/wger-project/wger/releases/tag/2.5
• https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3