CyberRota
← Ana sayfaya dön

CVE-2026-43978

HIGH · CVSS 8.1 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-16T23:16:16.310 · Çekilme zamanı: 2026-07-17T00:26:57.184497+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-43978
Severity
HIGH
CVSS
8.1
EPSS
Yok

Orijinal NVD Açıklaması

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identity is set and this flag alone bypasses the permission check on all subsequent trainer-login calls. This grants full gym administration capabilities including viewing all member data, modifying contracts, managing gym configuration, and accessing other trainers' and managers' personal information. This issue has been fixed in version 2.6.