Skip to main content

Recipes CVE-2026-35046

| EUVDEUVD-2026-19390 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.4
EUVD ID Assigned
Apr 06, 2026 - 17:45 euvd
EUVD-2026-19390
Analysis Generated
Apr 06, 2026 - 17:45 vuln.today
CVE Published
Apr 06, 2026 - 17:20 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS - enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.

AnalysisAI

Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe step instructions due to improper sanitization by the bleach.clean() library, which whitelists <style> tags by default. Client applications rendering the instructions_markdown field from the API without additional sanitization will execute attacker-controlled CSS, enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration attacks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate real-world risk despite a moderate CVSS score of 5.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with recipe editing permissions injects a malicious <style> tag containing CSS that redefines the login form position and opacity, overlaying a phishing form on top when another user views the recipe instructions via a web client. Alternatively, an attacker crafts CSS attribute selectors (e.g., input[value^="admin"]) to exfiltrate text via background-image URL calls to an attacker-controlled server. …
Remediation Upgrade Tandoor Recipes to version 2.6.4 or later, which addresses the sanitization bypass. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-25991 HIGH POC
7.7 Feb 13

Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import

CVE-2025-57396 MEDIUM POC
6.5 Sep 19

Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS

CVE-2026-25964 MEDIUM POC
4.9 Feb 13

Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi

CVE-2026-35488 HIGH
8.1 Apr 07

Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t

CVE-2026-35045 HIGH
8.1 Apr 06

Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i

CVE-2026-35489 HIGH
7.3 Apr 07

Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se

CVE-2026-33148 MEDIUM
6.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL

CVE-2026-27460 MEDIUM
6.5 Apr 10

Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality

CVE-2026-28503 MEDIUM
5.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s

CVE-2026-29055 MEDIUM
5.3 Mar 26

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive

CVE-2025-23213 HIGH POC
8.7 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity

Share

CVE-2026-35046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy