CVE-2025-56795

Critical CVSS: 9.0

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.

Vendor

Mealie

Product

Mealie

CWE

CWE-79

Yayın Tarihi

2025-09-29 17:15:31

Güncelleme

2025-10-16 15:42:33

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Mealie CRITICAL Mealie 2025

Referanslar

https://github.com/B1tBreaker/CVE-2025-56795 https://github.com/mealie-recipes/mealie/issues/5677 https://github.com/mealie-recipes/mealie/pull/5754

Benzer Kayıtlar

Medium

CVE-2025-70296

A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticate…

Medium

CVE-2025-70297

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1…

Low

CVE-2024-55070

A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allo…

Medium

CVE-2024-55072

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows…

High

CVE-2024-55073

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows…