CVE-2025-70296 – A stored HTML injection vulnerability in Mealie... (How to Fix)

Q: What is the severity of CVE-2025-70296?

CVE-2025-70296 has a CVSS score of 5.4 (MEDIUM). A stored HTML injection vulnerability in Mealie 3.3.1 allows authenticated users to inject arbitrary HTML into recipe notes, which can lead to user interface redressing attacks. This affects all users of Mealie 3.3.1 who view recipes with malicious notes. The vulnerability requires authenticated access but can impact any user viewing compromised recipes.

📋 TL;DR

A stored HTML injection vulnerability in Mealie 3.3.1 allows authenticated users to inject arbitrary HTML into recipe notes, which can lead to user interface redressing attacks. This affects all users of Mealie 3.3.1 who view recipes with malicious notes. The vulnerability requires authenticated access but can impact any user viewing compromised recipes.

💻 Affected Systems

Products:

Mealie

Versions: 3.3.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Recipe Notes rendering component. Requires authenticated user access to inject HTML.

📦 What is this software?

Mealie by Mealie

View all CVEs affecting Mealie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could inject malicious HTML/JavaScript that performs phishing attacks, steals session cookies, or redirects users to malicious sites when viewing recipes.

🟠

Likely Case

Authenticated users inject HTML that alters the recipe interface appearance, potentially tricking users into unintended actions or displaying misleading content.

🟢

If Mitigated

With proper input validation and output encoding, injected HTML would be rendered as plain text without executing.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are vulnerable to authenticated attackers, but exploitation requires user interaction to view malicious recipes.

🏢 Internal Only: MEDIUM - Internal instances face similar risks from authenticated malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and user interaction (viewing the malicious recipe). The vulnerability is in HTML rendering without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in pull request #6743 (commit after 3.3.1)

Vendor Advisory: https://github.com/mealie-recipes/mealie/issues/6690

Restart Required: No

Instructions:

1. Update Mealie to the latest version containing the fix from pull request #6743. 2. Verify the Recipe Notes component properly sanitizes HTML input. 3. No service restart required for the patch itself.

🔧 Temporary Workarounds

Disable Recipe Notes Editing

all

Temporarily disable the Recipe Notes editing functionality for all users to prevent HTML injection.

Modify Mealie configuration to remove or disable the recipe notes input field in the UI.

Input Validation Filter

all

Implement server-side input validation to strip or escape HTML tags in recipe notes before storage.

Add HTML sanitization to the recipe notes processing function before saving to database.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent execution of injected scripts.
Monitor recipe notes for suspicious HTML patterns and alert on potential injection attempts.

🔍 How to Verify

Check if Vulnerable:

Test by creating a recipe note with HTML tags like <script>alert('test')</script> or <img src=x onerror=alert(1)> and check if they execute when viewing the recipe.

Check Version:

Check Mealie version in the application interface or via the application's version endpoint if available.

Verify Fix Applied:

After patching, attempt the same HTML injection test - HTML should be displayed as plain text without execution.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML patterns in recipe notes creation/update logs
Multiple rapid recipe note modifications from single user

Network Indicators:

Increased traffic to recipe viewing endpoints with unusual parameters

SIEM Query:

search 'recipe_note' AND ('<script>' OR '<img' OR 'onerror=') in application logs

📊 Metadata

CVE ID: CVE-2025-70296

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.04% exploit probability (11.3th percentile)

Published: February 11, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-70296/CVE-2025-70296.md Exploit,Third Party Advisory
https://github.com/mealie-recipes/mealie/issues/6690 Issue Tracking
https://github.com/mealie-recipes/mealie/pull/6743 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70296, you might also want to check these: