A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 29 Sep 2025 14:45:00 +0000


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-09-29T14:31:00.998Z

Reserved: 2023-11-20T00:00:00.000Z

Link: CVE-2023-48866

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-12-04T15:15:07.560

Modified: 2025-09-29T15:16:04.820

Link: CVE-2023-48866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.