Vulnerability Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tandoor | Recipes | < 2.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7ExploitVendor Advisory
FAQ
What is CVE-2026-33148?
CVE-2026-33148 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream ...
How severe is CVE-2026-33148?
CVE-2026-33148 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33148?
Check the references section above for vendor advisories and patch information. Affected products include: Tandoor Recipes.