CVE-2026-35046

MEDIUM 5.4

Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

8th

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.

CWE	CWE-79
Vendor	tandoorrecipes
Product	recipes
Published	Apr 6, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for tandoorrecipes recipes

Be the first to know when new medium vulnerabilities affecting tandoorrecipes recipes are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

TandoorRecipes / recipes

< 2.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9hhh-g2fc-r8x2 github.com: https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4