Skip to content
Threat Feed

Product

Tandoor Recipes

4 briefs RSS
high advisory

Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)

Tandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.

Tandoor Recipes host-header-injection cve-2026-33149 web-application
2r 1t
high advisory

Tandoor Recipes Authentication Bypass Vulnerability (CVE-2026-35045)

Tandoor Recipes before version 2.6.4 allows authenticated users within a space to modify any recipe in that space, including private ones, via the PUT /api/recipe/batch_update/ endpoint, bypassing object-level authorization checks and enabling unauthorized access and data tampering.

Tandoor Recipes authentication-bypass web-application tandoor-recipes
2r 1t 1c
high advisory

Tandoor Recipes Unauthorized RecipeBook Modification Vulnerability (CVE-2026-35488)

Tandoor Recipes versions prior to 2.6.4 allow unauthorized modification and deletion of RecipeBooks due to a flaw in the CustomIsShared permission class which grants write access to shared users regardless of intended read-only permissions.

Tandoor Recipes CVE-2026-35488 Unauthorized Access Data Modification
2r 1t 1c
critical advisory

Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)

Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.

Tandoor Recipes CVE-2026-33152 tandoor-recipes password-guessing credential-access
2r 1t