CVE-2026-29055

MEDIUM 5.3

Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

8th

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer TODO comment in the source code acknowledges this as a known issue. As a result, when users upload recipe photos in WebP format (the default format for modern smartphone cameras), their sensitive EXIF data — including GPS coordinates, camera model, timestamps, and software information — is stored and served to all users who can view the recipe. Version 2.6.0 fixes the issue.

CWE	CWE-1230
Vendor	tandoorrecipes
Product	recipes
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for tandoorrecipes recipes

Be the first to know when new medium vulnerabilities affecting tandoorrecipes recipes are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

TandoorRecipes / recipes

< 2.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9g2j-xccg-9mhq github.com: https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0