Tandoor
Products
1- 23 CVEs
Recent CVEs
23| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-23838 | Hig | 0.57 | — | 0.00 | Jan 19, 2026 | Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may… | ||
| CVE-2026-33149 | Hig | 0.53 | 8.1 | 0.00 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses… | ||
| CVE-2026-35488 | Hig | 0.46 | 8.1 | 0.00 | Apr 7, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for… | ||
| CVE-2026-35045 | Hig | 0.46 | 8.1 | 0.00 | Apr 6, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes… | ||
| CVE-2026-35489 | Hig | 0.40 | 7.3 | 0.00 | Apr 7, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to… | ||
| CVE-2026-27460 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or… | ||
| CVE-2026-35046 | Med | 0.28 | 5.4 | 0.00 | Apr 6, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the… | ||
| CVE-2007-1617 | 0.03 | — | 0.01 | Mar 23, 2007 | SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. | |||
| CVE-2026-33152 | 0.00 | — | 0.01 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting… | |||
| CVE-2026-33153 | 0.00 | — | 0.00 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table… | |||
| CVE-2026-33148 | 0.00 | — | 0.00 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the… | |||
| CVE-2026-29055 | 0.00 | — | 0.00 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image… | |||
| CVE-2026-28503 | 0.00 | — | 0.00 | Mar 26, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)`… | |||
| CVE-2026-25991 | 0.00 | — | 0.00 | Feb 13, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the… | |||
| CVE-2026-25964 | 0.00 | — | 0.00 | Feb 13, 2026 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the… | |||
| CVE-2025-57396 | 0.00 | — | 0.00 | Sep 19, 2025 | Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently,… | |||
| CVE-2025-23213 | 0.00 | — | 0.00 | Jan 28, 2025 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28. | |||
| CVE-2025-23212 | 0.00 | — | 0.01 | Jan 28, 2025 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28. | |||
| CVE-2025-23211 | 0.00 | — | 0.03 | Jan 28, 2025 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24. | |||
| CVE-2024-0403 | 0.00 | — | 0.00 | Feb 29, 2024 | Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF. |
- risk 0.57cvss —epss 0.00
Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may…
- risk 0.53cvss 8.1epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses…
- risk 0.46cvss 8.1epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for…
- risk 0.46cvss 8.1epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes…
- risk 0.40cvss 7.3epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to…
- risk 0.35cvss 6.5epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or…
- risk 0.28cvss 5.4epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the…
- CVE-2007-1617Mar 23, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
- CVE-2026-33152Mar 26, 2026risk 0.00cvss —epss 0.01
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting…
- CVE-2026-33153Mar 26, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table…
- CVE-2026-33148Mar 26, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the…
- CVE-2026-29055Mar 26, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image…
- CVE-2026-28503Mar 26, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)`…
- CVE-2026-25991Feb 13, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the…
- CVE-2026-25964Feb 13, 2026risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the…
- CVE-2025-57396Sep 19, 2025risk 0.00cvss —epss 0.00
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently,…
- CVE-2025-23213Jan 28, 2025risk 0.00cvss —epss 0.00
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.
- CVE-2025-23212Jan 28, 2025risk 0.00cvss —epss 0.01
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.
- CVE-2025-23211Jan 28, 2025risk 0.00cvss —epss 0.03
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.
- CVE-2024-0403Feb 29, 2024risk 0.00cvss —epss 0.00
Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF.