CVE-2025-56795

Опубликовано: 29 сент. 2025

Источник: nvd

CVSS3: 9

EPSS Низкий

Описание

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.

Ссылки

https://github.com/B1tBreaker/CVE-2025-56795
Exploit
https://github.com/mealie-recipes/mealie/issues/5677
Exploit
Issue Tracking
https://github.com/mealie-recipes/mealie/pull/5754
Issue Tracking
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mealie:mealie:*:*:*:*:*:*:*:*

Версия до 3.0.1 (включая)

EPSS

Процентиль: 21%

0.0007

Низкий

9 Critical

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-wwm7-v4rv-ggff

CVSS3: 6.1

github

4 месяца назад

Mealie 3.0.1 and earlier is vulnerable to Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.