MEDIUMCVE-2026-27460CVSS 6.5

CVE-2026-27460: DoS in Tandoor Recipes Application

Q: What is CVE-2026-27460 — Denial of Service (DoS) in Tandoor Recipes?

It's a Denial of Service vulnerability in Tandoor Recipes versions 1.0.0 through 2.6.4, allowing attackers to crash the server with a large ZIP file upload.

Q: Am I affected by CVE-2026-27460 in Tandoor Recipes?

If you are using Tandoor Recipes version 1.0.0 to 2.6.4, you are potentially vulnerable to a DoS attack. Upgrade immediately.

Q: How do I fix CVE-2026-27460 in Tandoor Recipes?

Upgrade Tandoor Recipes to version 2.6.5 or later. As a temporary workaround, limit ZIP file upload sizes and monitor server resources.

Q: Is CVE-2026-27460 being actively exploited?

Currently, there are no known public exploits or active campaigns targeting CVE-2026-27460.

Q: Where can I find the official Tandoor Recipes advisory for CVE-2026-27460?

Refer to the Tandoor Recipes vendor's security advisories and the National Vulnerability Database (NVD) entry for CVE-2026-27460.

Platform

php

Component

tandoor-recipes

Fixed in

2.6.6

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-27460 affects the Tandoor Recipes application, a tool for recipe management, meal planning, and shopping list creation. This vulnerability allows an authenticated user to trigger a Denial of Service (DoS) attack by exploiting the recipe import functionality. Versions 1.0.0 through 2.6.4 are vulnerable; the issue is resolved in version 2.6.5.

Impact and Attack Scenarios

The core impact of CVE-2026-27460 is a Denial of Service. An attacker, after authenticating to the Tandoor Recipes application, can upload a specially crafted, oversized ZIP file (a ZIP bomb) to overwhelm the server's resources. This can lead to the application becoming unresponsive, preventing legitimate users from accessing its features. The blast radius is limited to users of the Tandoor Recipes application itself, but a prolonged outage could disrupt meal planning and shopping activities. The severity stems from the ease of triggering the DoS – simply uploading a malicious file is sufficient, requiring no complex exploitation techniques.

Exploitation Context

CVE-2026-27460 was published on 2026-04-10. Its CVSS score is 6.5 (MEDIUM). There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS, suggesting a low probability of exploitation in the near term. Monitor security advisories from the Tandoor Recipes vendor for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componenttandoor-recipes

VendorTandoorRecipes

Affected rangeFixed in

< 2.6.5 – < 2.6.52.6.6

Weakness Classification (CWE)

CWE-409

Timeline

Reserved2026-02-19
Published2026-04-10
Modified2026-04-13
EPSS updated2026-04-18

Mitigation and Workarounds

The primary mitigation for CVE-2026-27460 is to upgrade Tandoor Recipes to version 2.6.5 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Implement strict file size limits on uploaded ZIP files within the application's import functionality. A Web Application Firewall (WAF) or reverse proxy can be configured to block uploads exceeding a defined size threshold. Monitor server resource utilization (CPU, memory, disk I/O) for unusual spikes that might indicate a DoS attack. After upgrading, confirm the fix by attempting to upload a large ZIP file and verifying that the server remains stable and responsive.

How to fix

Actualice el plugin Tandoor Recipes a la versión 2.6.5 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta actualización aborda el problema al validar el tamaño de los archivos importados, previniendo que archivos ZIP maliciosos causen una sobrecarga en el servidor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27460 — Denial of Service (DoS) in Tandoor Recipes?

It's a Denial of Service vulnerability in Tandoor Recipes versions 1.0.0 through 2.6.4, allowing attackers to crash the server with a large ZIP file upload.

Am I affected by CVE-2026-27460 in Tandoor Recipes?

If you are using Tandoor Recipes version 1.0.0 to 2.6.4, you are potentially vulnerable to a DoS attack. Upgrade immediately.

How do I fix CVE-2026-27460 in Tandoor Recipes?

Upgrade Tandoor Recipes to version 2.6.5 or later. As a temporary workaround, limit ZIP file upload sizes and monitor server resources.

Is CVE-2026-27460 being actively exploited?

Currently, there are no known public exploits or active campaigns targeting CVE-2026-27460.

Where can I find the official Tandoor Recipes advisory for CVE-2026-27460?

Refer to the Tandoor Recipes vendor's security advisories and the National Vulnerability Database (NVD) entry for CVE-2026-27460.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: High — complete crash or resource exhaustion. Full denial of service.