SQL Injection in Tandoorrecipes Recipes

CVE-2026-33153

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query…

Vulnerability class: SQL Injection

EPSS: 0.000 (5.1th percentile) — read the EPSS interpretation.

Affected products

Tandoorrecipes Recipes — versions < 2.6.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf (x_refsource_CONFIRM)
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 (x_refsource_MISC)