Description
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Immediate Patch
AI Analysis

Impact

An attacker can exploit a reflected cross‑site scripting vulnerability in the RSS single‑watch endpoint of changedetection.io. The UUID supplied in the request is reflected directly into the HTML response without escaping, allowing malicious JavaScript to be executed in the victim’s browser. This flaw compromises confidentiality, integrity, and availability of the web UI for authenticated and unauthenticated users depending on the endpoint’s exposure. The weakness maps to CWE‑79.

Affected Systems

Products affected are the open‑source web page change detection tool changedetection.io from vendor dgtlmoon. All releases before 0.54.1 contain the flaw; version 0.54.1 implements a fix that sanitizes the UUID parameter. No additional product variants are listed.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium risk, and the EPSS score of less than 1% shows low likelihood of exploitation at this time. The vulnerability is not catalogued in the CISA KEV list, suggesting no known widespread attacks. Exploitation requires a victim to load a crafted URL in a browser, making it accessible via social engineering or phishing. Because the payload is reflected, an attacker need only supply a malicious UUID; no privileged access or code execution outside the browser context is required.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading changedetection.io to version 0.54.1 or later.
  • When an upgrade is delayed, restrict or remove access to the RSS single‑watch endpoint to trusted users or disable the feature entirely.
  • Ensure that any user‑supplied parameters are properly validated or sanitized before inclusion in HTTP responses, following best practices for preventing reflected XSS.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mw8m-398g-h89w changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
History

Fri, 27 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Webtechnologies
Webtechnologies changedetection
CPEs cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*
Vendors & Products Webtechnologies
Webtechnologies changedetection

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Wed, 25 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Title changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Dgtlmoon Changedetection.io
Webtechnologies Changedetection
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T14:55:58.413Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27645

cve-icon Vulnrichment

Updated: 2026-02-25T14:53:48.952Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T05:17:26.317

Modified: 2026-02-25T16:51:33.417

Link: CVE-2026-27645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses