Home / Vulnerability Intelligence / CVE-2026-33149

CVE-2026-33149 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

Tandoor Recipes - Host Header Injection

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Tandoor Recipes <= 2.5.3 contains a host header injection caused by setting ALLOWED_HOSTS='*' allowing attackers to manipulate server-generated absolute URLs, letting attackers poison invite links, exploit requires sending crafted Host headers.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can poison invite links to steal invite tokens, enabling unauthorized access to the application.

Mitigation

Update to the latest version with proper ALLOWED_HOSTS validation.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w

Related Resources

Details

CVE ID: CVE-2026-33149
Severity: High
CVSS Score: 8.1
Type: host_header_injection
Status: new

CWE

CWE-644

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N