Home/Product/mealie
Product

mealie

18 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-70297
>= 3.3.1 and < 3.6.0
A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows re
6.1MEDIUM
 CVE-2025-70296
>= 3.3.1 and < 3.8.0
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to
5.4MEDIUM
 CVE-2025-56795
<= 3.0.1
Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user
9.0CRITICAL
 CVE-2024-55070
all versions
A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group m
3.1LOW
 CVE-2024-55073
all versions
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to e
7.6HIGH
 CVE-2024-55072
all versions
A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to e
5.4MEDIUM
 CVE-2024-31994
< 1.4.0
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, an attacker can point the image request to an arbitrarily
6.5MEDIUM
 CVE-2024-31993
< 1.4.0
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the scrape_image function will retrieve an image based on
6.2MEDIUM
 CVE-2024-31992
< 1.4.0
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled
6.5MEDIUM
 CVE-2024-31991
< 1.4.0
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled
4.1MEDIUM
 CVE-2022-34624
all versions
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attac
5.9MEDIUM
 CVE-2022-34621
all versions
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to mod
6.5MEDIUM
 CVE-2022-34615
all versions
Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to the applica
9.8CRITICAL
 CVE-2022-34619
all versions
A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or HTML via a
5.4MEDIUM
 CVE-2022-34625
all versions
Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbit
7.2HIGH
 CVE-2022-34618
all versions
A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML v
5.4MEDIUM
 CVE-2022-34613
all versions
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted f
9.8CRITICAL
 CVE-2022-32425
all versions
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time.
5.3MEDIUM
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh