Is wger affected by CVE-2026-27838?

PyPI wger is affected in <=2.1.

Is CVE-2026-27838 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

low

CVE-2026-27838

Q: Is CVE-2026-27838 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

PyPI · wger

Summary

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

Severity: low
EPSS: 0.2% (p15)
Also known as: GHSA-42cr-w2gr-m54q
Published: 2026-02-26

References

https://github.com/wger-project/wger/security/advisories/GHSA-42cr-w2gr-m54q
https://nvd.nist.gov/vuln/detail/CVE-2026-27838
https://github.com/wger-project/wger/commit/e964328784e2ee2830a1991d69fadbce86ac9fbf

Related advisories

CVE-2026-43948 — critical · PyPI/wger
GHSA-mw8f-w6p8-xrf4 — high · PyPI/wger
CVE-2026-43978 — high · PyPI/wger
CVE-2026-43977 — high · PyPI/wger
GHSA-xq9m-hmp9-fw87 — high · PyPI/wger
CVE-2026-40474 — high · PyPI/wger
GHSA-v25j-wqcw-fvhj — medium · PyPI/wger
GHSA-vqv8-j3mj-wjxj — medium · PyPI/wger

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.