CVE-2025-57396
MEDIUM EPSS 12.7%
Published Sep 19, 20259mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Published Sep 19, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago
Description
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, any user can escalate their privileges to the highest level.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
12.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-269 Improper Privilege Management Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| tandoor | recipes | 2.0.0 | any |
References 1
- m10x.de https://m10x.de/posts/2025/08/continuous-checks-are-important-privilege-escalation-in-tandoor-recipes/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.