Arbitrary CSS Injection in Tandoor Recipes by Vendor Tandoor
CVE-2026-35046

5.4MEDIUM

Key Information:

Vendor: Tandoorrecipes
Status: Recipes
Vendor: CVE Published:; 6 April 2026

🔔 Create Tandoorrecipes Vulnerability Alert

What is CVE-2026-35046?

Tandoor Recipes is a powerful application designed for managing recipes, meal planning, and shopping lists. A vulnerability exists in versions prior to 2.6.4 that allows authenticated users to inject arbitrary tags into recipe step instructions. The application’s sanitizer, bleach.clean(), incorrectly whitelists the tag, leading to the ability to persist and serve unsanitized CSS through the API. Clients that render instructions_markdown from the API as HTML without proper sanitation may unwittingly execute the attacker-controlled CSS. This can result in various security threats, including UI redressing, phishing overlays, visual defacement, and even CSS-based data exfiltration. The issue has been addressed in version 2.6.4.

Affected Version(s)

recipes < 2.6.4

References

https://github.com/TandoorRecipes/recipes/security/adviso...

x_refsource_CONFIRM

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-35046 Data

JSON