CVE-2026-27645 (GCVE-0-2026-27645)
Vulnerability from cvelistv5 – Published: 2026-02-25 04:06 – Updated: 2026-02-25 14:55
VLAI?
Title
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
Summary
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dgtlmoon | changedetection.io |
Affected:
< 0.54.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27645",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T14:55:52.211770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T14:55:58.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "\u003c 0.54.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T04:06:58.183Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5"
}
],
"source": {
"advisory": "GHSA-mw8m-398g-h89w",
"discovery": "UNKNOWN"
},
"title": "changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27645",
"datePublished": "2026-02-25T04:06:58.183Z",
"dateReserved": "2026-02-20T22:02:30.029Z",
"dateUpdated": "2026-02-25T14:55:58.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2026-27645
Vulnerability from fkie_nvd - Published: 2026-02-25 05:17 - Updated: 2026-02-25 16:51
Severity ?
Summary
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| webtechnologies | changedetection | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*",
"matchCriteriaId": "582BB3C2-9FD0-4217-A5DF-67ACC72BA029",
"versionEndExcluding": "0.54.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue."
},
{
"lang": "es",
"value": "changedetection.io es una herramienta gratuita de c\u00f3digo abierto para la detecci\u00f3n de cambios en p\u00e1ginas web. En versiones anteriores a la 0.54.1, el endpoint RSS de monitoreo \u00fanico refleja el par\u00e1metro de ruta UUID directamente en el cuerpo de la respuesta HTTP sin escape HTML. Dado que Flask devuelve text/html por defecto para respuestas de cadena de texto plano, el navegador analiza y ejecuta JavaScript inyectado. La versi\u00f3n 0.54.1 contiene una correcci\u00f3n para el problema."
}
],
"id": "CVE-2026-27645",
"lastModified": "2026-02-25T16:51:33.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-25T05:17:26.317",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-MW8M-398G-H89W
Vulnerability from github – Published: 2026-02-25 19:07 – Updated: 2026-02-25 19:07
VLAI?
Summary
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
Details
Summary
Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact. The RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript.
Details
File: changedetectionio/blueprint/rss/single_watch.py (lines ~45 and ~50)
The UUID parameter from the URL path is interpolated into the response body using an f-string with no escaping:
Line ~45
watch = datastore.data['watching'].get(uuid)
if not watch:
return f"Watch with UUID {uuid} not found", 404 # ← No escaping, Content-Type: text/html
Line ~50
if len(dates) < 2:
return f"Watch {uuid} does not have enough history snapshots...", 400 # ← Same issue
Flask's default Content-Type for plain string responses is text/html; charset=utf-8, so any HTML/JavaScript in {uuid} is rendered by the browser.
Attack Vector
The attack requires a valid RSS access token, which is a 32-character hex string exposed in the HTML tag on the homepage without authentication:
Attacker visits the target's homepage if it unauthenticathed and extracts the RSS token from the tag Crafts a malicious URL:
- http://target:5000/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=EXTRACTED_TOKEN
- Sends the link to a victim who has an active session on the changedetection.io instance
- When the victim clicks the link, the server responds with:
- Watch with UUID not found
The browser renders the tag, the onerror fires, and JavaScript executes in the victim's session context
PoC
Request:
GET /rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=223e7edbbfee2268f5abb5344919054e HTTP/1.1
Host: [127.0.0.1:5000](http://127.0.0.1:5000/)
Response:
HTTP/1.1 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Watch with UUID not found
The XSS payload is reflected unescaped in an HTML response. The browser executes alert(document.cookie).
Lots of intances over internet affected to this.
Impact
- Session cookie theft via document.cookie exfiltration
- Account takeover if session cookies lack HttpOnly flag
- Phishing via crafted links that appear to originate from a trusted changedetection.io instance
- Token is obtainable without authentication from the homepage tag, lowering the barrier to exploitation
changedetection.io can work with developer teams to validate and address these issues. Please confirm receipt of this report and inform changedetection.io of the preferred timeline for coordinating the fix.
Roberto Nunes
Severity ?
6.1 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.53.6"
},
"package": {
"ecosystem": "PyPI",
"name": "changedetection.io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.53.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27645"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T19:07:44Z",
"nvd_published_at": "2026-02-25T05:17:26Z",
"severity": "MODERATE"
},
"details": "### Summary\nThree security vulnerabilities were identified in [changedetection.io](http://changedetection.io/) through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact.\nThe RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript.\n\n### Details\nFile: `changedetectionio/blueprint/rss/single_watch.py (lines ~45 and ~50)`\n\nThe UUID parameter from the URL path is interpolated into the response body using an f-string with no escaping:\n\n### Line ~45\n```\nwatch = datastore.data[\u0027watching\u0027].get(uuid)\nif not watch:\n return f\"Watch with UUID {uuid} not found\", 404 # \u2190 No escaping, Content-Type: text/html\n```\n\n### Line ~50\n```\nif len(dates) \u003c 2:\n return f\"Watch {uuid} does not have enough history snapshots...\", 400 # \u2190 Same issue\nFlask\u0027s default Content-Type for plain string responses is text/html; charset=utf-8, so any HTML/JavaScript in {uuid} is rendered by the browser.\n```\n\n## Attack Vector\nThe attack requires a valid RSS access token, which is a 32-character hex string exposed in the HTML \u003clink\u003e tag on the homepage without authentication:\n\n\u003c!-- Visible in page source of any unauthenticated instance --\u003e\n\u003clink rel=\"alternate\" type=\"application/rss+xml\" href=\"/rss?token=f2bb14e20ff01bad83a743cf21b5df95\"\u003e\n\nAttacker visits the target\u0027s homepage if it unauthenticathed and extracts the RSS token from the \u003clink\u003e tag\nCrafts a malicious URL:\n\n1. http://target:5000/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=EXTRACTED_TOKEN\n2. Sends the link to a victim who has an active session on the [changedetection.io](http://changedetection.io/) instance\n3. When the victim clicks the link, the server responds with:\n4. Watch with UUID not found\n\nThe browser renders the \u003cimg\u003e tag, the onerror fires, and JavaScript executes in the victim\u0027s session context\n\n### PoC\nRequest:\n\n```\nGET /rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=223e7edbbfee2268f5abb5344919054e HTTP/1.1\nHost: [127.0.0.1:5000](http://127.0.0.1:5000/)\n```\n\nResponse:\n\n```\nHTTP/1.1 404 NOT FOUND\nContent-Type: text/html; charset=utf-8\n```\n\nWatch with UUID not found\n\n\n\u003cimg width=\"1918\" height=\"1032\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1633b167-e4ec-4705-a110-18fad7826fc9\" /\u003e\n\nThe XSS payload is reflected unescaped in an HTML response. The browser executes alert(document.cookie).\n\nLots of intances over internet affected to this.\n\u003cimg width=\"1465\" height=\"721\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f54160d4-abd1-4e8d-b845-f85e53e79325\" /\u003e\n\n\n### Impact\n- Session cookie theft via document.cookie exfiltration\n- Account takeover if session cookies lack HttpOnly flag\n- Phishing via crafted links that appear to originate from a trusted [changedetection.io](http://changedetection.io/) instance\n- Token is obtainable without authentication from the homepage \u003clink\u003e tag, lowering the barrier to exploitation\n\nchangedetection.io can work with developer teams to validate and address these issues. Please confirm receipt of this report and inform changedetection.io of the preferred timeline for coordinating the fix.\n\nRoberto Nunes",
"id": "GHSA-mw8m-398g-h89w",
"modified": "2026-02-25T19:07:44Z",
"published": "2026-02-25T19:07:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27645"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgtlmoon/changedetection.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…