Product
Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)
2 rules 1 TTPTandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.
Tandoor Recipes Authentication Bypass Vulnerability (CVE-2026-35045)
2 rules 1 TTP 1 CVETandoor Recipes before version 2.6.4 allows authenticated users within a space to modify any recipe in that space, including private ones, via the PUT /api/recipe/batch_update/ endpoint, bypassing object-level authorization checks and enabling unauthorized access and data tampering.
Tandoor Recipes Unauthorized RecipeBook Modification Vulnerability (CVE-2026-35488)
2 rules 1 TTP 1 CVETandoor Recipes versions prior to 2.6.4 allow unauthorized modification and deletion of RecipeBooks due to a flaw in the CustomIsShared permission class which grants write access to shared users regardless of intended read-only permissions.
Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)
2 rules 1 TTPTandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.