Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.
Published: 2026-02-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via Local File Disclosure
Action: Apply Patch
AI Analysis

Impact

In Tandoor Recipes, an authenticated local file disclosure vulnerability exists in the RecipeImport workflow. The application fails to validate the file_path parameter and does not enforce directory restrictions in the local storage backend. As a result, an attacker with import permissions can craft a file_path that traverses directories to read any file accessible to the application process. This can expose sensitive user data, system configuration files, or crucial service files, which may in turn enable further compromise of the host.

Affected Systems

Any installation of the TandoorRecipes:recipes application running a version earlier than 2.5.1. The CVE specifically lists Tandoor Recipes as the affected vendor/product. Users with import permissions are susceptible. The relevant versions that are affected are all releases prior to 2.5.1.

Risk and Exploitability

The vulnerability scores a CVSS of 4.9, indicating moderate severity, while the EPSS score remains below 1%, suggesting low probability of exploitation at present. The CVE is not included in CISA’s KEV catalog. Exploitation requires an authenticated session with import privileges; the attacker must log into the application and supply a crafted file_path during recipe import. If successful, the attacker can read arbitrary files and potentially advance to full system compromise.

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tandoor Recipes application to version 2.5.1 or later to fix the file path validation flaw.
  • If an upgrade is not immediately feasible, restrict or disable the Recipe Import feature for all users except trusted administrators who truly require it.
  • Run the application under the least-privilege user account and ensure that the web process does not have write access to system directories such as /etc or project configuration folders.
  • Validate the file_path parameter on the server side, rejecting paths containing '..' or absolute paths, and enforce strict directory boundaries before processing.

Generated by OpenCVE AI on April 17, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Fri, 13 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.
Title Tandoor Recipes Affected by Authenticated Local File Disclosure (LFD) via Recipe Import leads to Arbitrary File Read
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T20:01:40.545Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25964

cve-icon Vulnrichment

Updated: 2026-02-13T20:01:06.908Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T19:17:28.810

Modified: 2026-02-17T16:07:02.177

Link: CVE-2026-25964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses