Cross-Site Scripting Vulnerability in Mealie Recipe Creation Functionality
CVE-2025-56795

Currently unrated

Key Information:

Vendor: Mealie
Status: Mealie
Vendor: CVE Published:; 29 September 2025

What is CVE-2025-56795?

Mealie versions 3.0.1 and earlier have a vulnerability in the recipe creation process that allows for Cross-Site Scripting (XSS) attacks. This occurs through the unsanitized user input found in the 'note' and 'text' fields of the '/api/recipes/{recipe_name}' endpoint. Due to the lack of proper escaping, injected scripts may be rendered on the frontend, which can lead to persistent XSS, compromising the security of both users and the application. Organizations using affected versions should implement mitigation strategies immediately.

References

https://github.com/mealie-recipes/mealie/issues/5677

https://github.com/mealie-recipes/mealie/pull/5754

https://github.com/B1tBreaker/CVE-2025-56795

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Aug 17, 2025

JSON