CVE-2026-33148

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0

Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions prior to 2.6.0 have an issue in the FDC (USDA FoodData Central) search endpoint where the query parameter is directly interpolated into the upstream API URL without URL-encoding. This allows an attacker to inject additional URL parameters using & characters within the query value. This can lead to overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500), resulting in a Denial of Service condition. The API endpoint vulnerable is the FDC search endpoint.

Recommendations Update to version 2.6.0 or later.