Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSS Injection
Action: Immediate Patch
AI Analysis

Impact

Tandoor Recipes permitted authenticated users to insert arbitrary <style> tags into recipe step instructions. The server-side sanitizer whitelisted the <style> element, so the CSS was stored and subsequently served through the API without further cleansing. When a client reads the instructions_markdown field and renders it as HTML, the injected CSS is executed in the user’s browser, allowing the attacker to manipulate the page layout, overlay phishing interfaces, deface content, or perform CSS-based data exfiltration. The flaw is a classic stored injection and is catalogued as CWE‑79.

Affected Systems

The vulnerability exists in all versions of TandoorRecipes:recipes released before 2.6.4. Users running any pre‑2.6.4 build are affected; upgrade to version 2.6.4 or later resolves the issue.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of current exploitation. The issue is not listed in the CISA KEV catalog, but the attack requires an authenticated session and a client that renders the API‑supplied markdown as HTML. If these conditions are met, the risk of UI defacement and data leakage exists.

Generated by OpenCVE AI on April 10, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Tandoor Recipes version 2.6.4 or later.
  • If an upgrade is not immediately possible, intervene prior to storage by sanitizing the instructions to remove <style> tags or by rejecting them during input.
  • On the client side, ensure that any markdown from the API is passed through a trusted HTML sanitizer before rendering.
  • Review and harden any components that consume the API to confirm they do not blindly render raw CSS.

Generated by OpenCVE AI on April 10, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.
Title Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:59:42.719Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35046

cve-icon Vulnrichment

Updated: 2026-04-07T15:19:22.905Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T18:16:42.287

Modified: 2026-04-10T18:33:43.150

Link: CVE-2026-35046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:40Z

Weaknesses