Is CVE-2026-40474 actively exploited?

CVE-2026-40474 has no public evidence of in-the-wild exploitation as of 2026-04-24.

What is the CVSS score for CVE-2026-40474?

CVE-2026-40474 has a CVSS score of 7.6 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L.

How do I patch CVE-2026-40474?

Patch guidance is available from wger security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-40474.

Fix CVE-2026-40474 - HIGH wger wger

Description

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: low
Integrity: high
Availability: low
Weaknesses: CWE-284 CWE-862 · Missing Authorization

Metadata

Primary Vendor: WGER
Published: 4/17/2026
Last Modified: 4/24/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-40474

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary