CVE-2026-35489

HIGH

7.3

Beschreibung

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.

CVE Details

CVSS v3.1 Bewertung7.3

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht4/7/2026

Zuletzt geandert4/8/2026

Quellenvd

Honeypot-Sichtungen0

Schwachen (CWE)

CWE-639CWE-1284

Referenzen

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4(security-advisories@github.com)

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554(security-advisories@github.com)

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.