Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Published: 2026-03-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

A reflected XSS flaw exists in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is returned unescaped in the HTTP response body when an error occurs. Because Flask sends the response with a text/html content type, browsers render and execute any JavaScript injected into the tag_uuid value. An attacker can exploit this to run arbitrary script in the context of the victim’s browser session, enabling credential theft, session hijacking, or malicious site defacement.

Affected Systems

The vulnerability affects all installations of changedetection.io from earlier releases up to, but not including, version 0.54.4. The vendor dgtlmoon distributes the affected product as changedetection.io, a free open‑source web‑page change monitoring tool.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderately high impact, while the EPSS score of less than 1% reflects a very low current exploitation probability. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is via a crafted URL to the /rss/tag/ endpoint that an end‑user or automated service might visit; the attacker can embed malicious payloads directly into the tag_uuid path and trick browsers into executing it.

Generated by OpenCVE AI on April 16, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update changedetection.io to version 0.54.4 or later, which contains the hard‑coded fix for the reflected XSS.
  • Validate any user‑supplied tag_uuid values on the server side, ensuring they match the expected UUID format and escaping or encoding the output before inclusion in the HTTP response.
  • If an upgrade cannot be applied immediately, remove or restrict external access to the /rss/tag endpoint so that browsers cannot load error responses containing untrusted user input.

Generated by OpenCVE AI on April 16, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8whx-v8qq-pq64 changedetection.io has Reflected XSS in its RSS Tag Error Response
History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Webtechnologies
Webtechnologies changedetection
CPEs cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*
Vendors & Products Webtechnologies
Webtechnologies changedetection

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Fri, 06 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Title changedetection.io: Reflected XSS in RSS Tag Error Response
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Dgtlmoon Changedetection.io
Webtechnologies Changedetection
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:57:44.702Z

Reserved: 2026-03-03T17:50:11.242Z

Link: CVE-2026-29038

cve-icon Vulnrichment

Updated: 2026-03-09T19:57:40.273Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:01.393

Modified: 2026-03-10T19:38:06.313

Link: CVE-2026-29038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses