CVE-2026-25964 (GCVE-0-2026-25964)
Vulnerability from cvelistv5 – Published: 2026-02-13 18:27 – Updated: 2026-02-13 20:01
VLAI
Title
Tandoor Recipes Affected by Authenticated Local File Disclosure (LFD) via Recipe Import leads to Arbitrary File Read
Summary
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.
Severity
4.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/TandoorRecipes/recipes/securit… | x_refsource_CONFIRM |
| https://github.com/TandoorRecipes/recipes/commit/… | x_refsource_MISC |
| https://github.com/TandoorRecipes/recipes/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TandoorRecipes | recipes |
Affected:
< 2.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25964",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T20:00:57.599657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T20:01:40.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "recipes",
"vendor": "TandoorRecipes",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T18:27:08.973Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx"
},
{
"name": "https://github.com/TandoorRecipes/recipes/commit/f7f3524609451ab0b5a4fd760ad0af147d8ed794",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TandoorRecipes/recipes/commit/f7f3524609451ab0b5a4fd760ad0af147d8ed794"
},
{
"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1"
}
],
"source": {
"advisory": "GHSA-6485-jr28-52xx",
"discovery": "UNKNOWN"
},
"title": "Tandoor Recipes Affected by Authenticated Local File Disclosure (LFD) via Recipe Import leads to Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25964",
"datePublished": "2026-02-13T18:27:08.973Z",
"dateReserved": "2026-02-09T17:13:54.066Z",
"dateUpdated": "2026-02-13T20:01:40.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-25964",
"date": "2026-06-30",
"epss": "0.0042",
"percentile": "0.33649"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25964\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-13T19:17:28.810\",\"lastModified\":\"2026-06-17T10:25:30.277\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.\"},{\"lang\":\"es\",\"value\":\"Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de la compra. Anteriormente a la 2.5.1, una vulnerabilidad de salto de ruta en el flujo de trabajo RecipeImport de Tandoor Recipes permite a usuarios autenticados con permisos de importaci\u00f3n leer archivos arbitrarios en el servidor. Esta vulnerabilidad se debe a una falta de validaci\u00f3n de entrada en el par\u00e1metro file_path y a comprobaciones insuficientes en el backend de almacenamiento local, lo que permite a un atacante eludir las restricciones del directorio de almacenamiento y acceder a archivos sensibles del sistema (p. ej., / etc/ passwd) o a archivos de configuraci\u00f3n de la aplicaci\u00f3n (p. ej., settings.py), lo que podr\u00eda llevar a un compromiso total del sistema. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2.5.1.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"TandoorRecipes\",\"product\":\"recipes\",\"versions\":[{\"version\":\"\u003c 2.5.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-13T20:00:57.599657Z\",\"id\":\"CVE-2026-25964\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.1\",\"matchCriteriaId\":\"21860AB5-9F47-4015-958B-26FE480AE53B\"}]}]}],\"references\":[{\"url\":\"https://github.com/TandoorRecipes/recipes/commit/f7f3524609451ab0b5a4fd760ad0af147d8ed794\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25964\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-13T20:00:57.599657Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-13T20:01:06.908Z\"}}], \"cna\": {\"title\": \"Tandoor Recipes Affected by Authenticated Local File Disclosure (LFD) via Recipe Import leads to Arbitrary File Read\", \"source\": {\"advisory\": \"GHSA-6485-jr28-52xx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"TandoorRecipes\", \"product\": \"recipes\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx\", \"name\": \"https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/TandoorRecipes/recipes/commit/f7f3524609451ab0b5a4fd760ad0af147d8ed794\", \"name\": \"https://github.com/TandoorRecipes/recipes/commit/f7f3524609451ab0b5a4fd760ad0af147d8ed794\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1\", \"name\": \"https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-13T18:27:08.973Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25964\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-13T20:01:40.545Z\", \"dateReserved\": \"2026-02-09T17:13:54.066Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-13T18:27:08.973Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…