CVE-2025-70297

Name of the Vulnerable Software and Affected Versions Mealie version 3.3.1

Description A stored cross-site scripting (XSS) issue exists in the recipe asset upload and media serving component. Authenticated remote users can inject arbitrary web script or HTML through an uploaded SVG file. The file is served as image/svg+xml and rendered by a victim’s browser. The affected component handles SVG file uploads and their subsequent delivery as images. The vulnerability allows an attacker to inject malicious code that executes within the context of another user’s browser.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the types of files that can be uploaded to the recipe asset upload component.