CVE-2025-56795 – CVE-2025-56795 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2025-56795?

CVE-2025-56795 has a CVSS score of 9.0 (CRITICAL). CVE-2025-56795 is a stored cross-site scripting vulnerability in Mealie recipe management software. Attackers can inject malicious scripts into recipe notes and text fields that execute when other users view those recipes. All users of Mealie 3.0.1 and earlier are affected.

📋 TL;DR

CVE-2025-56795 is a stored cross-site scripting vulnerability in Mealie recipe management software. Attackers can inject malicious scripts into recipe notes and text fields that execute when other users view those recipes. All users of Mealie 3.0.1 and earlier are affected.

💻 Affected Systems

Products:

Mealie

Versions: 3.0.1 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable API endpoint for recipe creation/editing are affected.

📦 What is this software?

Mealie by Mealie

View all CVEs affecting Mealie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, no script execution occurs and user input is safely displayed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create or edit recipes. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2 or later

Vendor Advisory: https://github.com/mealie-recipes/mealie/issues/5677

Restart Required: Yes

Instructions:

1. Update Mealie to version 3.0.2 or later. 2. Restart the Mealie service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/JavaScript content in recipe notes and text fields

Content Security Policy

all

Implement strict Content Security Policy headers to prevent script execution from untrusted sources

🧯 If You Can't Patch

Disable recipe creation/editing functionality for non-admin users
Implement a web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Mealie version is 3.0.1 or earlier. Test by creating a recipe with <script>alert('XSS')</script> in note/text field and viewing it.

Check Version:

Check Mealie web interface settings or docker container version: docker inspect mealie | grep version

Verify Fix Applied:

After updating to 3.0.2+, test XSS payloads in recipe fields - they should be properly escaped and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api/recipes/ with script tags or JavaScript in parameters
Multiple failed XSS attempts in web logs

Network Indicators:

HTTP requests containing script tags or JavaScript in recipe API calls
Unusual outbound connections from Mealie server after recipe views

SIEM Query:

source="mealie-logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND uri_path="/api/recipes/*"

📊 Metadata

CVE ID: CVE-2025-56795

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.2th percentile)

Published: September 29, 2025

Last Updated: October 16, 2025

🔗 References

https://github.com/B1tBreaker/CVE-2025-56795 Exploit
https://github.com/mealie-recipes/mealie/issues/5677 Exploit,Issue Tracking
https://github.com/mealie-recipes/mealie/pull/5754 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56795, you might also want to check these: