Tandoor Recipes Application Vulnerability Affecting API Functionality
CVE-2026-33148

6.5MEDIUM

Key Information:

Vendor: Tandoorrecipes
Status: Recipes
Vendor: CVE Published:; 26 March 2026

🔔 Create Tandoorrecipes Vulnerability Alert

What is CVE-2026-33148?

In Tandoor Recipes versions prior to 2.6.0, a vulnerability exists in the USDA FoodData Central search endpoint where user-supplied input is directly interpolated into the upstream API URL without proper URL encoding. This deficiency allows attackers to inject additional & characters in the query parameter, overriding API keys and altering upstream query behaviors. Such manipulation can lead to severe disruptions, including Denial of Service scenarios, rendering the application unable to respond to legitimate requests.

Affected Version(s)

recipes < 2.6.0

References

https://github.com/TandoorRecipes/recipes/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33148 Data

JSON