CVE-2026-33148 - Vulnerability Details

- URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

Published: 2026-03-26

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Tandoor Recipes versions earlier than 2.6.0 allow a user to inject raw URL parameters into the FDC (FoodData Central) search endpoint by including ampersand characters in the query string. This uncontrolled interpolation enables an attacker to override the embedded API key, alter the upstream query logic, and send malformed requests that cause the server to crash with a 500 error, resulting in a denial of service condition. The flaw is categorized as a URL Parameter Injection weakness.

Affected Systems

The affected product is TandoorRecipes:recipes. All deployments running any version prior to 2.6.0 are vulnerable. The vulnerability is mitigated when the application is upgraded to version 2.6.0 or later, which applies proper URL encoding to the query parameter.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate risk, and the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by crafting HTTP requests to the search endpoint with injected parameters; no user authentication or privileged access is required, so any network-visible client can trigger the crash. The vulnerability does not provide an attacker with code execution or data exfiltration capability beyond the ability to incapacitate the service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TandoorRecipes

recipes

affected

Version	Status	Constraints
`< 2.6.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Tandoorrecipes

Recipes

100%

Version	Status	Scheme	Platform
`[0,2.6.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Tandoor Recipes to version 2.6.0 or later to apply the fix that properly encodes query parameters.

Generated by OpenCVE AI on March 30, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w

History

Mon, 30 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tandoor Tandoor recipes
CPEs		cpe:2.3:a:tandoor:recipes::::::::
Vendors & Products		Tandoor Tandoor recipes

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tandoorrecipes Tandoorrecipes recipes
Vendors & Products		Tandoorrecipes Tandoorrecipes recipes

Thu, 26 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.
Title		URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key
Weaknesses		CWE-74
References		https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Tandoor Recipes

Tandoorrecipes Recipes

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T19:04:25.511Z

Updated: 2026-03-26T19:52:10.290Z

Reserved: 2026-03-17T21:17:08.884Z

Link: CVE-2026-33148

Vulnrichment

Updated: 2026-03-26T19:50:27.976Z

NVD

Status : Analyzed

Published: 2026-03-26T19:17:02.763

Modified: 2026-03-30T19:26:49.500

Link: CVE-2026-33148

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:57:37Z

Weaknesses

CWE-74

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object