{"id":"CVE-2026-40353","summary":"wger: Stored XSS via Unescaped License Attribution Fields","details":"wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.","aliases":["GHSA-6f54-qjvm-wwq3"],"modified":"2026-07-08T08:13:12.443621559Z","published":"2026-04-17T21:16:12.401Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40353.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/wger-project/wger/releases/tag/2.5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40353.json"},{"type":"ADVISORY","url":"https://github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40353"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wger-project/wger","events":[{"introduced":"0"},{"fixed":"c1fca6bdf77d8ed80048d1b73a8da80cf36ee751"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:wger:wger:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.5"}]}}],"versions":["2.4","2.3","2.0","1.9","1.8","1.7","1.5","1.4","1.3","1.2","1.1","1.0.3","1.0.2","1.0.1","1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40353.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}