CVE-2025-70297

Medium CVSS: 6.1

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser.

Vendor

Mealie

Product

Mealie

CWE

CWE-79

Yayın Tarihi

2026-02-11 19:15:50

Güncelleme

2026-02-23 15:33:59

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Mealie MEDIUM Mealie 2026

Referanslar

https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-70297/CVE-2025-70297.md https://github.com/mealie-recipes/mealie/issues/6319

Benzer Kayıtlar

Medium

CVE-2025-70296

A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticate…

Critical

CVE-2025-56795

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsani…

Low

CVE-2024-55070

A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allo…

Medium

CVE-2024-55072

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows…

High

CVE-2024-55073

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows…