Home / Vulnerability Intelligence / CVE-2026-33149

CVE-2026-33149 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

Tandoor Recipes - Host Header Injection

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Tandoor Recipes <= 2.5.3 contains a host header injection caused by setting ALLOWED_HOSTS='*' allowing attackers to manipulate server-generated absolute URLs, letting attackers poison invite links, exploit requires sending crafted Host headers.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Attackers can poison invite links to steal invite tokens, enabling unauthorized access to the application.

Mitigation

Update to the latest version with proper ALLOWED_HOSTS validation.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33149 - High (8.1) Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without val... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33149/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33149
Severity: High
CVSS Score: 8.1
Type: host_header_injection
Status: new
EPSS: 2.8%
Social Posts: 1

CWE

CWE-644

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days