The vulnerability CVE-2026-33148 in Tandoor Recipes (versions before 2.6.0) is classified under CWE-74, which involves improper neutralization of special elements in output used by a downstream component, specifically an injection flaw. The application constructs an upstream API URL for the USDA FoodData Central (FDC) search endpoint by directly interpolating the user-supplied 'query' parameter into the URL string without applying URL encoding or sanitization. This allows an attacker to inject additional URL parameters by including ampersand ('&') characters within the query value. Such injection can override the API key parameter, manipulate the behavior of the upstream API query, or send malformed requests that cause the server to respond with HTTP 500 errors, effectively creating a denial of service condition. The vulnerability requires the attacker to have at least low-level privileges (PR:L) but does not require user interaction (UI:N). The attack vector is network-based (AV:N), and the scope remains unchanged (S:U). The CVSS 3.1 base score is 6.5, reflecting a medium severity primarily due to the impact on availability. No known exploits are currently reported in the wild. The issue is resolved in version 2.6.0 by properly encoding or sanitizing the 'query' parameter before constructing the upstream URL, preventing injection of additional parameters and ensuring stable server operation.

This vulnerability primarily impacts the availability of the Tandoor Recipes service by enabling denial of service through server crashes triggered by malformed upstream API requests. Attackers can disrupt meal planning and recipe management functionalities for users relying on the application, potentially affecting business continuity for organizations that integrate Tandoor Recipes into their workflows. Additionally, the ability to override the API key parameter could lead to unauthorized use or abuse of the upstream USDA FoodData Central API quota or data, potentially causing service disruptions or additional costs. While confidentiality and integrity are not directly affected, the disruption of service can degrade user trust and operational efficiency. Organizations using affected versions may face increased support costs and reputational damage if the service becomes unreliable. The medium severity rating reflects the moderate impact and relatively low complexity of exploitation, emphasizing the need for timely remediation.

Organizations should upgrade Tandoor Recipes to version 2.6.0 or later, where the vulnerability is patched. Until upgrading is possible, implement strict input validation and sanitization on the 'query' parameter to ensure it does not contain special characters such as '&' that could alter URL construction. Employ URL encoding on all user-supplied input before embedding it into URLs to prevent injection of additional parameters. Monitor application logs for unusual upstream API request patterns or HTTP 500 errors that may indicate exploitation attempts. Limit privileges of users who can submit queries to reduce the risk of exploitation. Additionally, consider implementing rate limiting on the FDC search endpoint to mitigate denial of service attempts. Review and restrict API key usage policies with the upstream USDA FoodData Central service to detect and prevent unauthorized key overrides or abuse. Conduct regular security assessments and code reviews focusing on input handling and output encoding to prevent similar injection vulnerabilities.