CVE-2025-56795 is a persistent Cross-Site Scripting (XSS) vulnerability affecting Mealie version 3.0.1 and earlier. Mealie is an open-source self-hosted recipe management application. The vulnerability exists in the recipe creation functionality, specifically in the handling of user input submitted to the "/api/recipes/{recipe_name}" endpoint. The fields "note" and "text" accept user input that is not properly sanitized or escaped before being rendered on the frontend. This improper handling allows an attacker to inject malicious scripts that persist in the application’s stored data. When other users or the same user view the affected recipe, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or delivery of further malware. Persistent XSS is more severe than reflected XSS because the malicious payload is stored on the server and served to multiple users until remediated. Although there are no known exploits in the wild at the time of publication, the vulnerability is publicly disclosed and could be targeted by attackers once details become widely available. No official patches or fixes have been linked yet, so users of Mealie 3.0.1 and earlier should consider this a significant security risk. The lack of a CVSS score limits precise severity quantification, but the nature of persistent XSS in a web application that manages user-generated content is well understood in the security community.

For European organizations using Mealie for recipe or content management, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions. Attackers exploiting this flaw could steal authentication tokens or cookies, leading to unauthorized access to user accounts and potentially sensitive information stored within the application. This could also facilitate lateral movement within an organization’s network if the application is integrated with internal systems. The persistent nature of the XSS means that malicious scripts could affect multiple users over time, increasing the attack surface. Additionally, exploitation could damage organizational reputation, especially if customer or employee data is compromised. Since Mealie is often self-hosted, organizations with limited security expertise may be slower to detect or remediate such issues, increasing exposure. The vulnerability does not directly impact availability but could be leveraged in multi-stage attacks that degrade service or introduce further malware.

Organizations should immediately review and restrict access to the Mealie application, especially if it is exposed to the internet. Implement input validation and output encoding at the application level to sanitize the "note" and "text" fields, ensuring that any HTML or script content is properly escaped before rendering. If possible, upgrade to a fixed version of Mealie once available. In the interim, consider deploying Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the affected endpoints. Conduct regular security audits and penetration tests focusing on user input handling. Educate users about the risks of clicking suspicious links or executing unexpected scripts. Monitor application logs for unusual activity indicative of attempted exploitation. If feasible, isolate the Mealie instance within a segmented network zone to limit potential lateral movement. Finally, maintain backups of application data to enable recovery if malicious content is injected.