CVE-2025-70296
Stored HTML Injection in Mealie 3.3.1 Recipe Notes Component
Publication date: 2026-02-11
Last updated on: 2026-02-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mealie | mealie | From 3.3.1 (inc) to 3.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70296 is a stored HTML injection vulnerability in the Recipe Notes rendering component of Mealie version 3.3.1. It allows remote authenticated users to inject arbitrary HTML code into the recipe notes, which results in user interface redressing within the recipe view.
This means that an attacker who is logged in can insert malicious HTML content that alters how the recipe page is displayed to users, potentially misleading them or manipulating the interface.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to perform user interface redressing attacks, which may trick users into interacting with malicious elements or misleading content within the recipe view.
Additionally, related issues in the same vulnerability allowed unauthorized access to arbitrary system files, potentially leading to privilege escalation, which could compromise the security of the entire system running Mealie.
Therefore, exploitation could lead to unauthorized actions, data exposure, or further compromise of the application environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves stored HTML injection in the Recipe Notes rendering component of Mealie, allowing remote authenticated users to inject arbitrary HTML. Detection would involve monitoring or testing the recipe notes input for injection of HTML content that alters the user interface.
Specific technical detection commands or logs are not publicly disclosed to prevent exploitation.
A practical approach is to test the recipe notes field by attempting to input HTML tags and observing if they are rendered or sanitized improperly in the recipe view.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the security patch released for Mealie that addresses this vulnerability.
- Update the SafeMarkdown library to enforce stricter sanitization of HTML attributes.
- Ensure the Mealie application is updated to the version containing the patch merged on December 18, 2025.
- Restrict file access to expected directories only, as implemented in the patch.
If immediate update is not possible, restrict access to the recipe notes feature to trusted users only and monitor for suspicious input.