CVE-2025-70296
Awaiting Analysis Awaiting Analysis - Queue
Stored HTML Injection in Mealie 3.3.1 Recipe Notes Component

Publication date: 2026-02-11

Last updated on: 2026-02-23

Assigner: MITRE

Description
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-70296
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mealie mealie From 3.3.1 (inc) to 3.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70296 is a stored HTML injection vulnerability in the Recipe Notes rendering component of Mealie version 3.3.1. It allows remote authenticated users to inject arbitrary HTML code into the recipe notes, which results in user interface redressing within the recipe view.

This means that an attacker who is logged in can insert malicious HTML content that alters how the recipe page is displayed to users, potentially misleading them or manipulating the interface.

Impact Analysis

This vulnerability can impact users by allowing attackers to perform user interface redressing attacks, which may trick users into interacting with malicious elements or misleading content within the recipe view.

Additionally, related issues in the same vulnerability allowed unauthorized access to arbitrary system files, potentially leading to privilege escalation, which could compromise the security of the entire system running Mealie.

Therefore, exploitation could lead to unauthorized actions, data exposure, or further compromise of the application environment.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves stored HTML injection in the Recipe Notes rendering component of Mealie, allowing remote authenticated users to inject arbitrary HTML. Detection would involve monitoring or testing the recipe notes input for injection of HTML content that alters the user interface.

Specific technical detection commands or logs are not publicly disclosed to prevent exploitation.

A practical approach is to test the recipe notes field by attempting to input HTML tags and observing if they are rendered or sanitized improperly in the recipe view.

Mitigation Strategies

Immediate mitigation involves applying the security patch released for Mealie that addresses this vulnerability.

  • Update the SafeMarkdown library to enforce stricter sanitization of HTML attributes.
  • Ensure the Mealie application is updated to the version containing the patch merged on December 18, 2025.
  • Restrict file access to expected directories only, as implemented in the patch.

If immediate update is not possible, restrict access to the recipe notes feature to trusted users only and monitor for suspicious input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart