CVE-2022-2650 — Improper Restriction of Excessive Authentication Attempts in wger
My first CVE. wger's login page had no brute-force protection. Found with ZAP.
Published on June 25, 2026 by Steven Amador
CVE authentication brute force bug bounty
0 min READ
In April 2022, I came across wger, a workout application that had a demo site and allowed for standalone installation. I found the application would not block brute-force attacks against the login page. Very simple, very straightforward. This led to my first CVE: CVE-2022-2650.
CWE-307 — Improper Restriction of Excessive Authentication Attempts. NVD scored it 9.8 (Critical); the CNA, huntr.dev, scored it 7.8 (High) using a slightly different vector. Fixed in 2.2.
I used OWASP ZAP to find this vulnerability. At the time, huntr.dev would pay for vulnerabilities found in just about any GitHub repo. I was paid a whopping $10 USD. If you’re new to web application security testing, don’t let the cost of tools hold you back. ZAP is free and capable enough to find real, CVE-worthy bugs — this one is proof.
NVD record: CVE-2022-2650
Patch: wger-project/wger commit
wger GitHub: Repo
Original report: huntr.dev bounty