Mealie
Products
1- 16 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-34615 | Cri | 0.64 | 9.8 | 0.01 | Aug 19, 2022 | Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. | ||
| CVE-2022-34613 | Cri | 0.64 | 9.8 | 0.01 | Aug 2, 2022 | Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file. | ||
| CVE-2024-55073 | Hig | 0.49 | 7.6 | 0.00 | Mar 27, 2025 | A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household. | ||
| CVE-2022-34625 | Hig | 0.47 | 7.2 | 0.02 | Aug 2, 2022 | Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template. | ||
| CVE-2022-34621 | Med | 0.42 | 6.5 | 0.01 | Aug 19, 2022 | Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter. | ||
| CVE-2022-34624 | Med | 0.38 | 5.9 | 0.01 | Aug 19, 2022 | Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | ||
| CVE-2024-55072 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2025 | A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household. | ||
| CVE-2022-34619 | Med | 0.35 | 5.4 | 0.01 | Aug 2, 2022 | A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field. | ||
| CVE-2022-34618 | Med | 0.35 | 5.4 | 0.01 | Aug 2, 2022 | A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field. | ||
| CVE-2022-32425 | Med | 0.34 | 5.3 | 0.01 | Jul 14, 2022 | The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time. | ||
| CVE-2024-55070 | Low | 0.20 | 3.1 | 0.00 | Mar 27, 2025 | A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions. | ||
| CVE-2025-70296 | 0.00 | — | 0.00 | Feb 11, 2026 | A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view. | |||
| CVE-2025-70297 | 0.00 | — | 0.00 | Feb 11, 2026 | A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s… | |||
| CVE-2025-56795 | 0.00 | — | 0.00 | Sep 29, 2025 | Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to… | |||
| CVE-2024-31991 | Med | 0.00 | 4.1 | 0.00 | Apr 19, 2024 | Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor… |
- risk 0.64cvss 9.8epss 0.01
Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the application via brute-force attacks.
- risk 0.64cvss 9.8epss 0.01
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file.
- risk 0.49cvss 7.6epss 0.00
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.
- risk 0.47cvss 7.2epss 0.02
Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template.
- risk 0.42cvss 6.5epss 0.01
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.
- risk 0.38cvss 5.9epss 0.01
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
- risk 0.35cvss 5.4epss 0.00
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field.
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.
- risk 0.34cvss 5.3epss 0.01
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time.
- risk 0.20cvss 3.1epss 0.00
A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions.
- CVE-2025-70296Feb 11, 2026risk 0.00cvss —epss 0.00
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
- CVE-2025-70297Feb 11, 2026risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s…
- CVE-2025-56795Sep 29, 2025risk 0.00cvss —epss 0.00
Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to…
- risk 0.00cvss 4.1epss 0.00
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor…