2 matches found
CVE-2026-35488
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.hasobjectpermission returns True for all HTTP methods —...
CVE-2026-35488
CVE-2026-35488 affects Tandoor Recipes where RecipeBookViewSet and RecipeBookEntryViewSet exposed a flawed CustomIsShared permission: has_object_permission() returns True for all HTTP methods, letting shared (read-only) users delete or overwrite a RecipeBook. The root cause is the permission chec...