Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied query parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including & characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests - a Denial of Service condition. Version 2.6.0 patches the issue.
AnalysisAI
Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL parameters into the USDA FoodData Central search endpoint through improper URL encoding of the query parameter, enabling API key override and server crashes via malformed requests. Publicly available exploit code exists, and a vendor-released patch is available in version 2.6.0.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates this is a network-accessible denial of service vulnerability requiring low privileges (authenticated user) with low attack complexity and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user discovers they can inject URL parameters by appending '&key=attacker_key' to their FDC food search query. The attacker submits a search for 'apple&key=malicious', causing Tandoor Recipes to construct a malformed upstream API request to USDA FDC with their injected key override. … |
| Remediation | Upgrade Tandoor Recipes to version 2.6.0 or later immediately, as the vendor has released a patched version addressing the URL encoding issue. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality
Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s
Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe ste
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16311