CVE-2026-33148

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33148
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
History

30 Mar 2026, 19:26

Type Values Removed Values Added
First Time Tandoor
Tandoor recipes
CPE cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
References () https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w - () https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w - Exploit, Vendor Advisory

30 Mar 2026, 13:26

Type Values Removed Values Added
Summary
  • (es) Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de búsqueda de FDC (USDA FoodData Central) construye una URL de API ascendente interpolando directamente el parámetro 'query' proporcionado por el usuario en la cadena de la URL sin codificación URL. Un atacante puede inyectar parámetros URL adicionales incluyendo caracteres '&' en el valor de la consulta. Esto permite anular la clave de la API, manipular el comportamiento de la consulta ascendente y causar caídas del servidor (HTTP 500) a través de solicitudes malformadas — una condición de denegación de servicio. La versión 2.6.0 corrige el problema.

26 Mar 2026, 19:17

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-26 19:17

Updated : 2026-03-30 19:26

NVD link : CVE-2026-33148

Mitre link : CVE-2026-33148

CVE.ORG link : CVE-2026-33148

JSON object : View

Products Affected

tandoor

  • recipes
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')