CVE-2026-28503

Medium CVSS: 5.5

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue.

Vendor

Tandoor

Product

Recipes

CWE

CWE-639

Yayın Tarihi

2026-03-26 19:16:57

Güncelleme

2026-03-30 19:28:48

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Recipes MEDIUM Tandoor 2026

Referanslar

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv

Benzer Kayıtlar

Critical

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior t…

High

CVE-2026-33153

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior t…

Medium

CVE-2026-33148

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior t…

Medium

CVE-2026-29055

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior t…

Medium

CVE-2026-25964

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a P…

High

CVE-2026-25991

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, the…