CVE-2026-40474 - wger has Broken Access Control in the Global Gym Configuration Update Endpoint
CVE ID :CVE-2026-40474 Published : April 17, 2026, 10:16 p.m. | 24 minutes ago Description :wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of
ORIGINAL SOURCE →via CVE Feed Latest
ADVERTISEMENT
⚡ STAY AHEAD
Events like this, convergence-verified across 689 sources, land in your inbox every Sunday. Free.
GET THE SUNDAY BRIEFING →RELATED · cyber
- [CYBER] Hackers steal nearly $300M in biggest DeFi exploit of 2026 - Seeking Alpha
- [CYBER] Hackers steal nearly $300M in biggest DeFi exploit of 2026
- [CYBER] 'DeFi is dead': crypto community scrambles after this year's biggest hack exposes contagion risks
- [CYBER] Vercel confirms breach as hackers claim to be selling stolen data
- [CYBER] I found a critical CVE in a top AI agent framework. Here's what it taught me about how we're all building agents wrong.
- [CYBER] Why Your Lab Domain Suddenly Stopped Resolving (DNS Blocklists)