GHSA-vqv8-j3mj-wjxj: wger: trainer_login open redirect - ?next= parameter not validated against host

May 6, 2026

The trainer_login view in wger redirects to request.GET['next'] directly via HttpResponseRedirect() without calling url_has_allowed_host_and_scheme(). After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in the ?next= parameter, enabling Referer exfiltration and phishing.

References

github.com/advisories/GHSA-vqv8-j3mj-wjxj
github.com/wger-project/wger
github.com/wger-project/wger/security/advisories/GHSA-vqv8-j3mj-wjxj

Code Behaviors & Features

Detect and mitigate GHSA-vqv8-j3mj-wjxj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →