VYPR
Medium severity5.4NVD Advisory· Published Apr 6, 2026· Updated Apr 10, 2026

CVE-2026-35046

CVE-2026-35046

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Tandoor/Recipes2 versions
    cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*range: <2.6.4
    • (no CPE)range: <2.6.4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.