## https://sploitus.com/exploit?id=3F165406-B8AC-594E-9BF4-290640B7E2D6
# CVE-2025-56795
## Description
Two stored Cross-Site Scripting (XSS) vulnerabilities were identified in the recipe creation functionality of **Mealie**, affecting all versions up to and including **3.0.1**.
Unsanitized user input provided during recipe creation is stored and later rendered in the frontend without proper escaping, resulting in persistent XSS.
---
## Affected Fields
During the creation of a new recipe, the following fields are vulnerable:
1. **Ingredient Notes (`note` parameter):**
Input in this field is stored and later rendered in the recipe detail view, allowing the execution of injected JavaScript payloads.
2. **Instruction Text (`text` parameter):**
Input in this field is also stored and rendered in the recipe detail view, leading to JavaScript execution when the recipe is viewed.
---
## Proof of Concept
**Screenshot showing the vulnerable parameters in the JSON response after creating a new recipe:**
**Browser alert triggered via the `note` parameter (“First Stored XSS”):**
**Browser alert triggered via the `text` parameter (“Second Stored XSS”):**
---
## References
- [GitHub Issue – Vulnerability Report](https://github.com/mealie-recipes/mealie/issues/5677)
- [GitHub Pull Request – Fix](https://github.com/mealie-recipes/mealie/pull/5754)