Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0959

NIXPKGS-2026-0959
published on
Permalink CVE-2026-35046
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 1 day ago
  • @LeSuisse ignored package gnome-recipes 3 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
Tandoor has a Stored CSS Injection via <style> Tag in Recipe Instructions (API-Level)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The bleach.clean() sanitizer explicitly whitelists the <style> tag, causing the backend to persist and serve unsanitized CSS payloads via the API. Any client consuming instructions_markdown from the API and rendering it as HTML without additional sanitization will execute attacker-controlled CSS — enabling UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration. This vulnerability is fixed in 2.6.4.

Affected products

recipes
  • ==< 2.6.4

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

Ignored packages (1)

Package maintainers

Ignored maintainers (1)