CVE-2026-35046: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TandoorRecipes recipes
CVE-2026-35046 is a medium severity cross-site scripting (XSS) vulnerability in Tandoor Recipes prior to version 2. 6. 4. Authenticated users can inject arbitrary <style> tags into recipe step instructions because the sanitizer used (bleach. clean()) explicitly whitelists the <style> tag. This leads to the backend persisting and serving unsanitized CSS payloads via the API. Clients that render these instructions as HTML without additional sanitization may execute attacker-controlled CSS, enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. The vulnerability is fixed in version 2. 6. 4.
AI Analysis
Technical Summary
Tandoor Recipes versions prior to 2.6.4 contain a cross-site scripting vulnerability (CWE-79) due to improper input neutralization during web page generation. The bleach.clean() sanitizer used in the backend explicitly whitelists the <style> tag, allowing authenticated users to inject arbitrary CSS into recipe step instructions. These CSS payloads are stored and served via the API without proper sanitization. Clients that render the instructions_markdown field as HTML without further sanitization will execute the injected CSS, which can be used for UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. The vulnerability is addressed in version 2.6.4 of Tandoor Recipes.
Potential Impact
The vulnerability allows authenticated users to inject arbitrary CSS into recipe instructions, which can be executed by clients rendering the instructions as HTML without additional sanitization. This can lead to UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. There is no indication of direct code execution or availability impact. The CVSS score is 5.4 (medium severity), reflecting limited confidentiality and integrity impact with no availability impact.
Mitigation Recommendations
Upgrade Tandoor Recipes to version 2.6.4 or later, where this vulnerability is fixed. Since the fix is included in the version update, applying this official fix will remediate the issue. Clients consuming the API should also implement additional sanitization when rendering instructions_markdown as HTML to prevent execution of malicious CSS. Patch status is not explicitly stated but the fix is included in version 2.6.4; verify with vendor advisory for confirmation.
CVE-2026-35046: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TandoorRecipes recipes
Description
CVE-2026-35046 is a medium severity cross-site scripting (XSS) vulnerability in Tandoor Recipes prior to version 2. 6. 4. Authenticated users can inject arbitrary <style> tags into recipe step instructions because the sanitizer used (bleach. clean()) explicitly whitelists the <style> tag. This leads to the backend persisting and serving unsanitized CSS payloads via the API. Clients that render these instructions as HTML without additional sanitization may execute attacker-controlled CSS, enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. The vulnerability is fixed in version 2. 6. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tandoor Recipes versions prior to 2.6.4 contain a cross-site scripting vulnerability (CWE-79) due to improper input neutralization during web page generation. The bleach.clean() sanitizer used in the backend explicitly whitelists the <style> tag, allowing authenticated users to inject arbitrary CSS into recipe step instructions. These CSS payloads are stored and served via the API without proper sanitization. Clients that render the instructions_markdown field as HTML without further sanitization will execute the injected CSS, which can be used for UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. The vulnerability is addressed in version 2.6.4 of Tandoor Recipes.
Potential Impact
The vulnerability allows authenticated users to inject arbitrary CSS into recipe instructions, which can be executed by clients rendering the instructions as HTML without additional sanitization. This can lead to UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. There is no indication of direct code execution or availability impact. The CVSS score is 5.4 (medium severity), reflecting limited confidentiality and integrity impact with no availability impact.
Mitigation Recommendations
Upgrade Tandoor Recipes to version 2.6.4 or later, where this vulnerability is fixed. Since the fix is included in the version update, applying this official fix will remediate the issue. Clients consuming the API should also implement additional sanitization when rendering instructions_markdown as HTML to prevent execution of malicious CSS. Patch status is not explicitly stated but the fix is included in version 2.6.4; verify with vendor advisory for confirmation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.428Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3edbe0a160ebd92cb34c3
Added to database: 4/6/2026, 5:30:38 PM
Last enriched: 4/6/2026, 5:46:06 PM
Last updated: 4/6/2026, 7:51:26 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.