NIXPKGS-2026-0790

GitHub issue published on 27 Mar 2026

Permalink CVE-2026-33148

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 20 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 5 hours ago
@LeSuisse removed package gnome-recipes 20 hours ago
@LeSuisse accepted 20 hours ago
@LeSuisse published on GitHub 20 hours ago

URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w x_refsource_CONFIRM

Affected products

recipes

==< 2.6.0

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3
nixos-25.11 2.5.3
- nixos-25.11-small 2.5.3
- nixpkgs-25.11-darwin 2.5.3

Ignored packages (1)

pkgs.gnome-recipes

Recipe management application for GNOME

Package maintainers

@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w