CVE-2025-23213

HIGH

Tandoor Recipes < 1.5.28 - Unrestricted Upload of Dangerous File Types

Title source: llm

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-56jp-j3x5-hh2w

Patch x_refsource_misc

https://github.com/TandoorRecipes/recipes/commit/3e37d11c6a3841a00eb27670d1d003f1a713e1cf

View Patch ZIP pw:eip

Scores

CVSS v3 8.7

EPSS 0.0034

EPSS Percentile 25.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

tandoor/recipes < 1.5.28

Published Jan 28, 2025

Tracked Since Feb 18, 2026