Skip to main content

Recipes CVE-2026-27460

| EUVDEUVD-2026-21549 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-04-10 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.5
EUVD ID Assigned
Apr 10, 2026 - 19:22 euvd
EUVD-2026-21549
Analysis Generated
Apr 10, 2026 - 19:22 vuln.today
CVE Published
Apr 10, 2026 - 19:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.

AnalysisAI

Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.

Technical ContextAI

The vulnerability exists in Tandoor Recipes' recipe import mechanism, which processes user-supplied ZIP archives without adequate safeguards against decompression attacks. This is an instance of CWE-409 (Improper Handling of Highly Compressed Data), a well-known attack vector where a small compressed file expands to enormous size upon decompression, consuming server memory and CPU resources. The flaw occurs because the application fails to validate decompressed file sizes or implement resource limits during the ZIP extraction process, allowing a malicious actor to craft a ZIP bomb-a file designed to decompress to an enormous size-that causes the server to exhaust available system resources. Tandoor Recipes is a self-hosted recipe management application commonly deployed in Docker containers and on personal servers, making authenticated recipe import a typical user workflow.

RemediationAI

Vendor-released patch: upgrade to Tandoor Recipes version 2.6.5 or later, which includes fixes to the ZIP import handling that implement resource limits and decompression validation. Users should follow the official Tandoor Recipes upgrade documentation for their deployment method (Docker, bare metal, etc.). As a temporary mitigation prior to upgrade, restrict recipe import functionality to trusted accounts only or disable the import feature entirely via application settings if available. Check the security advisory at https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8 for specific patching instructions and version-specific deployment notes.

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-25991 HIGH POC
7.7 Feb 13

Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import

CVE-2025-57396 MEDIUM POC
6.5 Sep 19

Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS

CVE-2024-0403 MEDIUM POC
6.5 Mar 01

Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. Rated medium severity (CVSS 6.5), t

CVE-2022-23071 MEDIUM POC
6.5 Jun 19

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” fu

CVE-2026-25964 MEDIUM POC
4.9 Feb 13

Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi

CVE-2026-35488 HIGH
8.1 Apr 07

Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t

CVE-2026-35045 HIGH
8.1 Apr 06

Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i

CVE-2022-23074 LOW POC
3.5 Jun 21

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Ke

CVE-2022-23073 LOW POC
3.5 Jun 21

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard funct

CVE-2022-23072 LOW POC
3.5 Jun 21

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functiona

CVE-2026-35489 HIGH
7.3 Apr 07

Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se

Share

CVE-2026-27460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy