mealie CVE 脆弱性と CVE 一覧(14)

製品(CPE): — CVE 件数: 14

mealie 脆弱性概要

mealie 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。

一般的な弱点パターンには vendor risk cross-site scripting and vendor risk ssrf があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact session compromise などのリスクが生じる可能性があります。

掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。

脆弱性分布の推移(直近24か月)

表示中 114 / 14 CVE 件数
«« 先頭 « 前へ 1 / 1 次へ »
CVE 概要 ソース CVSS 最大値 EPSS(%) 公開 更新
CVE-2025-70297 A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser. [email protected] 6.1 0.18% 2026-02-11 2026-06-17
CVE-2025-70296 A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view. [email protected] 5.4 0.23% 2026-02-11 2026-06-17
CVE-2025-56795 Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS. [email protected] 9.0 0.33% 2025-09-29 2026-06-17
CVE-2024-55070 A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions. [email protected] 3.1 0.21% 2025-03-27 2026-06-17
CVE-2024-55073 A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household. [email protected] 7.6 0.25% 2025-03-27 2026-06-17
CVE-2024-55072 A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household. [email protected] 5.4 0.25% 2025-03-27 2026-06-17
CVE-2024-31994 Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, an attacker can point the image request to an arbitrarily large file. Mealie will attempt to retrieve this file in whole. If it can be retrieved, it may be stored on the file system in whole (leading to possible disk consumption), however the more likely scenario given resource limitations is that the container will OOM during file retrieval if the target file size is greater than the allocated memory of the container. At b [email protected] 6.5 0.28% 2024-04-19 2026-06-17
CVE-2024-31993 Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the scrape_image function will retrieve an image based on a user-provided URL, however the provided URL is not validated to point to an external location and does not have any enforced rate limiting. The response from the Mealie server will also vary depending on whether or not the target file is an image, is not an image, or does not exist. Additionally, when a file is retrieved the file may remain stored on Mealie’s file [email protected] 6.2 0.41% 2024-04-19 2026-06-17
CVE-2024-31992 Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server, however these requests are not rate-limited. While there are efforts to prevent DDoS by implementing a timeout on requests, it is possible for an attacker to issue a large number of requests to the server which will be handled in batches based on the configuration of the Mealie server. The chunking of responses is helpful for [email protected] 6.5 0.72% 2024-04-19 2026-06-17
CVE-2024-31991 Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor those that call it, add any restrictions on the URL that can be provided, nor is it restricted to being an FQDN (i.e., an IP address can be provided). As this function’s return will be handled differently by its caller d [email protected] 4.1 0.32% 2024-04-19 2026-06-17
CVE-2022-34624 Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. [email protected] 5.9 0.51% 2022-08-19 2026-07-08
CVE-2022-34621 Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter. [email protected] 6.5 0.72% 2022-08-19 2026-06-17
CVE-2022-34615 Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. [email protected] 9.8 1.07% 2022-08-19 2026-06-17
CVE-2022-32425 The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time. [email protected] 5.3 0.55% 2022-07-14 2026-06-17
«« 先頭 « 前へ 1 / 1 次へ »
cvelogic Threat Intelligence