In Tandoor Recipes versions prior to 2.6.0, the image upload pipeline deliberately bypasses EXIF data removal for WebP and GIF files. When users attach recipe photos in these formats, the application stores the original image alongside all embedded metadata and serves it to any viewer. This results in a confidentiality breach, exposing personally identifiable information including location data and device identifiers. The underlying weakness is the failure to sanitize metadata before storage.

The vulnerability affects the Tandoor Recipes application published by TandoorRecipes, specifically any instance running a version earlier than 2.6.0. All users who upload recipe images or view recipes can be impacted, as the metadata is publicly displayed. The issue does not restrict to a particular deployment scenario, making any installation of the affected software susceptible.

The CVSS score of 5.3 denotes moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not yet listed in CISA’s KEV catalog, suggesting it has not been widely exploited in the wild. Exploitation is straightforward: an attacker simply uploads a crafted image containing sensitive EXIF fields; no additional conditions or privileges are required beyond the normal upload capability. The risk is primarily privacy‑related rather than affecting system integrity or availability.