Path Traversal Vulnerability in Tandoor Recipes by Tandoor
CVE-2026-25964

4.9MEDIUM

Key Information:

Vendor

Tandoorrecipes

Status
Recipes
Vendor
CVE Published:
13 February 2026

What is CVE-2026-25964?

Tandoor Recipes, an application designed for managing recipes and meal planning, has a path traversal vulnerability within its RecipeImport workflow. Prior to version 2.5.1, the application failed to validate user input in the file_path parameter and lacked proper checks in its local storage back-end. This weakness allows authenticated users possessing import permissions to exploit the flaw to read sensitive files on the server, such as application configurations and system files, potentially leading to severe security breaches. The vulnerability has been addressed in the latest release, version 2.5.1.

Affected Version(s)

recipes < 2.5.1

References

https://github.com/TandoorRecipes/recipes/security/adviso...
x_refsource_CONFIRM
https://github.com/TandoorRecipes/recipes/commit/f7f35246...
x_refsource_MISC
https://github.com/TandoorRecipes/recipes/releases/tag/2.5.1
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.