Platform
python
Component
recipes
Fixed in
2.5.2
CVE-2026-25991 describes a Blind Server-Side Request Forgery (SSRF) vulnerability discovered in Tandoor Recipes, a recipe management application. This vulnerability allows authenticated users to trigger the server to connect to arbitrary internal or external resources, potentially leading to data exposure or unauthorized access. The issue affects versions of Tandoor Recipes prior to 2.5.1 and has been resolved in version 2.5.1.
The SSRF vulnerability in Tandoor Recipes allows an authenticated user to bypass security controls and initiate requests to internal services or external websites on behalf of the application server. This could expose sensitive internal data, such as database credentials or API keys, if the server has access to them. An attacker could also use this vulnerability to scan internal networks, perform port scanning, or potentially exploit other vulnerabilities in internal systems. The blind nature of the SSRF means that the attacker may not directly see the response, but can still infer information about the target system based on the server's behavior.
CVE-2026-25991 was publicly disclosed on 2026-02-13. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that a PoC will be developed in the near future.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25991 is to upgrade Tandoor Recipes to version 2.5.1 or later, which includes the necessary URL validation fixes. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting outbound network access for the Tandoor Recipes application server using a firewall or network segmentation. Additionally, implement strict input validation on all URLs used by the Cookmate recipe import feature. Monitor application logs for unusual outbound requests originating from the Tandoor Recipes application. After upgrading, confirm the fix by attempting to import a recipe from an external URL and verifying that the application does not connect to unintended destinations.
Update Tandoor Recipes to version 2.5.1 or higher. This version contains the fix for the SSRF vulnerability. The update can be performed through the application's administration panel or by following the upgrade instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25991 is a Blind SSRF vulnerability in Tandoor Recipes versions prior to 2.5.1, allowing authenticated users to force the server to connect to arbitrary resources.
You are affected if you are using Tandoor Recipes version 2.5.1 or earlier. Upgrade to 2.5.1 to mitigate the risk.
Upgrade Tandoor Recipes to version 2.5.1 or later. As a temporary workaround, restrict outbound network access for the application server.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the Tandoor Recipes official security advisory for detailed information and updates: [Placeholder for Official Advisory Link]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.