CVE-2025-23213

CVE-2025-23213 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and building shopping lists. The vulnerability resides in the file upload feature, which permits the upload of arbitrary files, including HTML and SVG formats. These file types can embed malicious content such as XSS payloads, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was fixed in version 1.5.28.

An authenticated user with low privileges can exploit this vulnerability over the network with low complexity by uploading a malicious HTML or SVG file containing XSS payloads. Exploitation requires user interaction, such as a victim viewing or interacting with the uploaded file. Successful attacks leverage the changed scope to achieve high confidentiality and integrity impacts, potentially allowing attackers to steal sensitive data like session cookies, perform actions on behalf of the victim, or escalate control within the application.

The Tandoor Recipes security advisory (GHSA-56jp-j3x5-hh2w) and the fixing commit (3e37d11c6a3841a00eb27670d1d003f1a713e1cf) confirm the vulnerability's resolution in version 1.5.28. Security practitioners should urge users to update to this version or later to mitigate the risk, and review file upload configurations to restrict dangerous MIME types like HTML and SVG in affected deployments.