CVE-2026-35489

HIGH 7.3

Tandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.

CWE	CWE-639 CWE-1284
Vendor	tandoorrecipes
Product	recipes
Published	Apr 7, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for tandoorrecipes recipes

Be the first to know when new high vulnerabilities affecting tandoorrecipes recipes are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

TandoorRecipes / recipes

< 2.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554 github.com: https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4