VYPR
Vendor

Tandoor

Products
1
CVEs
23
Across products
23
Status
Private

Products

1

Recent CVEs

23
View all 23 CVEs →
  • CVE-2026-23838HigJan 19, 2026
    risk 0.57cvss epss 0.00

    Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may…

  • CVE-2026-33149HigMar 26, 2026
    risk 0.53cvss 8.1epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses…

  • CVE-2026-35488HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for…

  • CVE-2026-35045HigApr 6, 2026
    risk 0.46cvss 8.1epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes…

  • CVE-2026-35489HigApr 7, 2026
    risk 0.40cvss 7.3epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to…

  • CVE-2026-27460MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or…

  • CVE-2026-35046MedApr 6, 2026
    risk 0.28cvss 5.4epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the…

  • CVE-2007-1617Mar 23, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2026-33152Mar 26, 2026
    risk 0.00cvss epss 0.01

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting…

  • CVE-2026-33153Mar 26, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table…

  • CVE-2026-33148Mar 26, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the…

  • CVE-2026-29055Mar 26, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image…

  • CVE-2026-28503Mar 26, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)`…

  • CVE-2026-25991Feb 13, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the…

  • CVE-2026-25964Feb 13, 2026
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the…

  • CVE-2025-57396Sep 19, 2025
    risk 0.00cvss epss 0.00

    Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently,…

  • CVE-2025-23213Jan 28, 2025
    risk 0.00cvss epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.

  • CVE-2025-23212Jan 28, 2025
    risk 0.00cvss epss 0.01

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.

  • CVE-2025-23211Jan 28, 2025
    risk 0.00cvss epss 0.03

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.

  • CVE-2024-0403Feb 29, 2024
    risk 0.00cvss epss 0.00

    Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF.