EUVD-2026-19674
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.
Analysis
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of service. The /api/food/{id}/shopping/ endpoint accepts unvalidated amount and unit parameters, allowing attackers to cause application crashes via malformed numeric inputs (HTTP 500 errors) and leak foreign-key references across multi-tenant Space boundaries by associating unit IDs from other tenants. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: verify your Tandoor Recipes version and confirm whether you operate a multi-tenant deployment. Within 7 days: upgrade to Tandoor Recipes 2.6.4 or later immediately-this is the only remediation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today