Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Tandoor Recipes, a recipe management application, contains a flaw in its recipe import feature that permits a denial‑of‑service condition. An authenticated user can upload a ZIP archive that is vastly larger than the target system’s capacity, triggering resource exhaustion and causing the server to crash or become heavily degraded.

Affected Systems

The vulnerability affects TandoorRecipes:recipes prior to version 2.6.5. All installations running any version earlier than 2.6.5 are potentially exposed. The fix is included in version 2.6.5 and newer.

Risk and Exploitability

In the CVE record the CVSS score is 6.5, indicating a moderate to high impact, while the EPSS score is below 1 percent, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires legitimate access to the import functionality; the attack vector is likely authenticated user access. The result is service disruption to all users of the affected instance.

Generated by OpenCVE AI on April 14, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tandoor Recipes to version 2.6.5 or later to eliminate the vulnerability.
  • If an upgrade is not immediately possible, restrict or delete open recipe import endpoints, and enforce stringent size limits on uploaded ZIP files.

Generated by OpenCVE AI on April 14, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.
Title Tandoor Recipes Affected by Denial of Service via Recipe Import
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:35:58.210Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27460

cve-icon Vulnrichment

Updated: 2026-04-13T15:23:55.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:21.427

Modified: 2026-04-14T17:29:17.780

Link: CVE-2026-27460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses