CVE-2026-33148

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

History

30 Mar 2026, 19:26

Type	Values Removed	Values Added
References	~~() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w -~~	() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w - Exploit, Vendor Advisory
First Time		Tandoor recipes Tandoor
CPE		cpe:2.3:a:tandoor:recipes::::::::

Information

Published : 2026-03-26 19:17

Updated : 2026-03-30 19:26

NVD link : CVE-2026-33148

Mitre link : CVE-2026-33148

CVE.ORG link : CVE-2026-33148

JSON object : View

Products Affected

tandoor

recipes

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2026-33148", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T19:17:02.763", "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests \u2014 a Denial of Service condition. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de b\u00fasqueda de FDC (USDA FoodData Central) construye una URL de API ascendente interpolando directamente el par\u00e1metro 'query' proporcionado por el usuario en la cadena de la URL sin codificaci\u00f3n URL. Un atacante puede inyectar par\u00e1metros URL adicionales incluyendo caracteres '&' en el valor de la consulta. Esto permite anular la clave de la API, manipular el comportamiento de la consulta ascendente y causar ca\u00eddas del servidor (HTTP 500) a trav\u00e9s de solicitudes malformadas \u2014 una condici\u00f3n de denegaci\u00f3n de servicio. La versi\u00f3n 2.6.0 corrige el problema."}], "lastModified": "2026-03-30T19:26:49.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C", "versionEndExcluding": "2.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}