{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27460", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.100Z", "datePublished": "2026-04-10T19:09:05.883Z", "dateUpdated": "2026-04-13T15:35:58.210Z"}, "containers": {"cna": {"title": "Tandoor Recipes Affected by Denial of Service via Recipe Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "lang": "en", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:09:05.883Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5."}], "source": {"advisory": "GHSA-w8pq-4pwf-r2m8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:27.281792Z", "id": "CVE-2026-27460", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:35:58.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27460", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:27.281792Z"}}}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:23:55.751Z"}}], "cna": {"title": "Tandoor Recipes Affected by Denial of Service via Recipe Import", "source": {"advisory": "GHSA-w8pq-4pwf-r2m8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"status": "affected", "version": "< 2.6.5"}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8", "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:09:05.883Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27460", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:35:58.210Z", "dateReserved": "2026-02-19T17:25:31.100Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:09:05.883Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "E89545FA-BC6B-47B1-8663-E74B8E7E1F99", "versionEndExcluding": "2.6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5."}], "id": "CVE-2026-27460", "lastModified": "2026-04-14T17:29:17.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T19:16:21.427", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-04-14T18:57:22.785207+00:00", "value": {"mitigation_remediation": ["Upgrade Tandoor Recipes to version 2.6.5 or later to eliminate the vulnerability.", "If an upgrade is not immediately possible, restrict or delete open recipe import endpoints, and enforce stringent size limits on uploaded ZIP files."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects TandoorRecipes:recipes prior to version 2.6.5. All installations running any version earlier than 2.6.5 are potentially exposed. The fix is included in version 2.6.5 and newer.", "description_and_impact": "Tandoor Recipes, a recipe management application, contains a flaw in its recipe import feature that permits a denial\u2011of\u2011service condition. An authenticated user can upload a ZIP archive that is vastly larger than the target system\u2019s capacity, triggering resource exhaustion and causing the server to crash or become heavily degraded.", "risk_and_exploitability": "In the CVE record the CVSS score is 6.5, indicating a moderate to high impact, while the EPSS score is below 1\u202fpercent, suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires legitimate access to the import functionality; the attack vector is likely authenticated user access. The result is service disruption to all users of the affected instance."}}}}, "created": "2026-04-13T12:42:50.269037+00:00", "updated": "2026-04-15T16:00:07.791762+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}