CVE-2026-35488HIGH 8.1EPSS p29.4%

CVE-2026-35488CVE-2026-35488

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.4% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-17

Underlying weaknesses· 1

CWE-749

References

  1. https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4
  2. https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f

1

TypeTargetConfidenceTier
WeaknessExposed Dangerous Method or Functioncwe-7490%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35045
CVE
CVE-2025-23211
CVE
CVE-2026-33149
CVE
CVE-2026-5652
CVE
CVE-2025-56795
CVE
CVE-2026-47349
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.