CVE-2025-56795

Published: Sep 29, 2025Modified: Oct 16, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.

Affected (1)

Products: Mealie: Mealie

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mealie Mealie	Up to 3.0.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/B1tBreaker/CVE-2025-56795

Source: cve@mitre.org

Exploit

https://github.com/mealie-recipes/mealie/issues/5677

Source: cve@mitre.org

ExploitIssue Tracking

https://github.com/mealie-recipes/mealie/pull/5754

Source: cve@mitre.org

Issue TrackingPatch

Timeline

No history available yet.