cbcvebase.
CVE-2026-33148
published 2026-03-26

CVE-2026-33148: Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData…

PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.47%
37.0th percentile
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
tandoorrecipes< 2.6.02.6.0
tandoorrecipesrecipes< 2.6.02.6.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.