Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
Tandoor Recipes: Unauthorized Access to Server Files
CVE-2026-25964
Summary
Authenticated users with import permissions can read sensitive files on the server, potentially leading to system compromise. This is due to a weakness in how the application handles user input. Update to version 2.5.1 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tandoor | recipes | <= 2.5.1 | – |
Original title
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes a...
Original description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.
nvd CVSS3.1
4.9
Vulnerability type
CWE-22
Path Traversal
CWE-73
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026