Suggestions search

Untriaged

Filter by:

With package: tandoor-recipes

Found 3 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-35046

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 week, 3 days ago

Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9hhh-g2fc-r8x2 x_refsource_CONFIRM
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 x_refsource_MISC

Affected products

recipes

==< 2.6.4

Matching in nixpkgs

pkgs.gnome-recipes

Recipe management application for GNOME

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 2.6.0
- nixpkgs-unstable 2.6.4
- nixos-unstable-small 2.6.4
nixos-25.11 2.6.0
- nixos-25.11-small 2.6.0
- nixpkgs-25.11-darwin 2.6.0

Package maintainers

@bobby285271 Bobby Rong <rjl931189261@126.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Permalink CVE-2026-33148

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 3 weeks ago

URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w x_refsource_CONFIRM

Affected products

recipes

==< 2.6.0

Matching in nixpkgs

pkgs.gnome-recipes

Recipe management application for GNOME

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3
nixos-25.11 2.5.3
- nixos-25.11-small 2.5.3
- nixpkgs-25.11-darwin 2.5.3

Package maintainers

@bobby285271 Bobby Rong <rjl931189261@126.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Permalink CVE-2026-25991

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 months ago

Tandoor Recipes affected by Blind SSRF with Internal Network Access via Recipe Import

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-j6xg-85mh-qqf7 x_refsource_CONFIRM
https://github.com/TandoorRecipes/recipes/commit/fdf22c5e745740db1fec29d6b4bd3df5d340e6ab x_refsource_MISC
https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1 x_refsource_MISC

Affected products

recipes

==< 2.5.1

Matching in nixpkgs

pkgs.gnome-recipes

Recipe management application for GNOME

nixos-unstable 2.0.4

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 1.5.35
- nixpkgs-unstable 2.3.6
- nixos-unstable-small 2.3.6
nixos-25.11 2.3.6
- nixos-25.11-small 2.3.6
- nixpkgs-25.11-darwin 2.3.6

Package maintainers

@bobby285271 Bobby Rong <rjl931189261@126.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>