CVE-2026-27460
Tandoor Recipes Affected by Denial of Service via Recipe Import
In short
Tandoor Recipes versions before 2.6.5 can crash or slow down significantly when an authenticated user uploads a specially crafted large ZIP file during recipe import. This allows someone with login access to disrupt the service for other users.
Technical detail
CWE-409 (Improper Restriction of Rendered UI Layers or Frames) manifests as a DoS vulnerability in the recipe import endpoint. An authenticated attacker can upload a ZIP bomb to exhaust server resources (CPU, memory, or disk I/O), causing denial of service. The vulnerability requires prior authentication and is mitigated in version 2.6.5 through improved input validation and resource limits.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →