CVE-2026-40353: wger has Stored XSS via Unescaped License Attribution Fields

April 16, 2026

The AbstractLicenseModel.attribution_link property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields (license_author, license_title, license_object_url, license_author_url, license_derivative_source_url) without any escaping. The resulting HTML is rendered in the ingredient view template using Django’s |safe filter, which disables auto-escaping. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes when any user (including unauthenticated visitors) views the ingredient page.

References

github.com/advisories/GHSA-6f54-qjvm-wwq3
github.com/wger-project/wger
github.com/wger-project/wger/security/advisories/GHSA-6f54-qjvm-wwq3
nvd.nist.gov/vuln/detail/CVE-2026-40353

Code Behaviors & Features

Detect and mitigate CVE-2026-40353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →