CVE-2026-28503 Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the SyncViewSet.querysyncedfolder action in cookbook/views/api.py line 903 fetches a Sync object using getobjector404Sync, pk=pk without including space=request.space i...

PT-2026-28380

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0 Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the SyncViewSet.query synced folder action in...

Vagrant Synced Folder Vagrantfile Breakout Exploit

This Metasploit module exploits a default Vagrant synced folder shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable vagrant...

Vagrant Synced Folder Vagrantfile Breakout

This module exploits a default Vagrant synced folder shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable 'vagrant' directory o...

Vagrant Synced Folder Vagrantfile Breakout

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Vagrant Synced Folder Vagrantfile Breakout', 'Description' = %q This module exploits a default Vagrant synced folder shared folder to append a Ru...