CVE-2025-23213— Tandoor Recipes - Stored XSS through Unrestricted File Upload
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-23213
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tandoor Recipes - Stored XSS through Unrestricted File Upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tandoor Recipes 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tandoor Recipes是Tandoor Recipes开源的一个用于管理食谱、计划膳食、建立购物清单等等的应用程序。 Tandoor Recipes 1.5.28之前版本存在代码问题漏洞,该漏洞源于文件上传功能允许上传任意文件,包括html和svg,两者都可能包含恶意内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| TandoorRecipes | recipes | < 1.5.28 | - |
II. Public POCs for CVE-2025-23213
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-23213
请登录查看更多情报信息。
Same Patch Batch · TandoorRecipes · 2025-01-28 · 3 CVEs total
| CVE-2025-23211 | 10.0 CRITICAL | Tandoor Recipes - SSTI - Remote Code Execution |
| CVE-2025-23212 | 7.7 HIGH | Tandoor Recipes - Local file disclosure - Users can read the content of any file on the se |
IV. Related Vulnerabilities
Same product: recipes
- CVE-2026-27460
Tandoor Recipes Affected by Denial of Service via Recipe Imp - CVE-2026-35489
Tandoor Recipes — `amount`/`unit` bypass serializer in `food - CVE-2026-35488
Tandoor Recipes — CustomIsShared permits DELETE/PUT on Recip - CVE-2026-35046
Tandoor has a Stored CSS Injection via <style> Tag in Recipe - CVE-2026-35045
Tandoor Recipes Affected by Private Recipe Exposure and Unau
Same vendor: TandoorRecipes
- CVE-2026-27460
Tandoor Recipes Affected by Denial of Service via Recipe Imp - CVE-2026-35489
Tandoor Recipes — `amount`/`unit` bypass serializer in `food - CVE-2026-35488
Tandoor Recipes — CustomIsShared permits DELETE/PUT on Recip - CVE-2026-35046
Tandoor has a Stored CSS Injection via <style> Tag in Recipe - CVE-2026-35045
Tandoor Recipes Affected by Private Recipe Exposure and Unau
Same weakness: CWE-434
- CVE-2021-47943
TextPattern CMS 4.8.7 Remote Code Execution via File Upload - CVE-2021-47937
e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme - CVE-2026-41517
Emlog: Remote Code Execution via Malicious Plugin Upload - CVE-2026-6692
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber - CVE-2026-41587
CI4MS: Unrestricted PHP File Upload via Theme Installation L
V. Comments for CVE-2025-23213
No comments yet