CVE-2025-56795

CRITICAL

mealie < 3.0.1 - Stored Cross-Site Scripting via Recipe Note and Text Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-56795. PoCs published by B1tBreaker.

AI-analyzed exploit summary This repository documents two stored XSS vulnerabilities in Mealie's recipe creation functionality, affecting versions up to 3.0.1. The PoC demonstrates how unsanitized input in the 'note' and 'text' parameters can lead to JavaScript execution when the recipe is viewed.

Description

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.

Exploits (1)

nomisec WRITEUP 1 stars
by B1tBreaker · poc
https://github.com/B1tBreaker/CVE-2025-56795

This repository documents two stored XSS vulnerabilities in Mealie's recipe creation functionality, affecting versions up to 3.0.1. The PoC demonstrates how unsanitized input in the 'note' and 'text' parameters can lead to JavaScript execution when the recipe is viewed.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Mealie up to and including 3.0.1
Auth required
Prerequisites: Access to create a recipe in Mealie
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.0
EPSS 0.0033
EPSS Percentile 24.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
mealie/mealie < 3.0.1
Published Sep 29, 2025
Tracked Since Feb 18, 2026