Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.
AnalysisAI
{id}/shopping/ endpoint accepts unvalidated amount and unit parameters, allowing attackers to cause application crashes via malformed numeric inputs (HTTP 500 errors) and leak foreign-key references across multi-tenant Space boundaries by associating unit IDs from other tenants. CVSS 7.3 reflects network-accessible, low-complexity attacks requiring no authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker can exploit Tandoor Recipes versions prior to 2.6.4 by sending crafted POST requests to /api/food/{id}/shopping/ endpoint with cross-Space unit IDs to leak foreign-key references across tenant boundaries or trigger HTTP 500 errors with invalid amount values. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-high for multi-tenant Tandoor deployments, though lower for single-user instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a public-facing Tandoor Recipes instance (version <2.6.4) and enumerates valid food object IDs through trial-and-error or by scraping publicly accessible recipe pages. The attacker sends crafted POST requests to /api/food/{valid_id}/shopping/ with amount set to a non-numeric string (e.g., 'XXX'), causing repeated HTTP 500 errors and degrading service availability for legitimate users. … |
| Remediation | Upgrade to Tandoor Recipes version 2.6.4 or later, which implements proper input validation by routing the vulnerable endpoint through ShoppingListEntrySerializer to enforce field-type validation and tenant boundary checks. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
{id}/shopping/ requests with malformed parameters and review cross-tenant data access patterns for evidence of exploitation.
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i
Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality
Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s
Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe ste
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19674