Nixos-Discourse

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions 23.05 through 26.05 **Description** Tandoor Recipes is a recipe manager that, when installed with the Nix package manager and using the default configuration with SQLite and the default `MEDIA ROOT`, may allow external access to the full database file, potentially on the Internet. This occurs because the NixOS module configures the working directory and the `MEDIA ROOT` value to `/var/lib/tandoor-recipes`, leading to the creation of the `db.sqlite3` database file in a publicly accessible directory through HTTP, especially when `GUNICORN MEDIA=1` is enabled or when using a web server like nginx to serve media files. **Recommendations** Versions prior to 26.05 should move `MEDIA ROOT` into a subdirectory.