CVE-2026-35489

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.4

Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The POST /api/food/{id}/shopping/ endpoint reads the amount and unit directly from request data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields.

Recommendations Update to version 2.6.4 or later.