CVE-2026-29038 (GCVE-0-2026-29038)
Vulnerability from cvelistv5 – Published: 2026-03-06 06:53 – Updated: 2026-03-09 19:57
VLAI?
Title
changedetection.io: Reflected XSS in RSS Tag Error Response
Summary
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dgtlmoon | changedetection.io |
Affected:
< 0.54.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29038",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:57:33.784446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T19:57:44.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "\u003c 0.54.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T06:53:56.959Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4"
}
],
"source": {
"advisory": "GHSA-8whx-v8qq-pq64",
"discovery": "UNKNOWN"
},
"title": "changedetection.io: Reflected XSS in RSS Tag Error Response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29038",
"datePublished": "2026-03-06T06:53:56.959Z",
"dateReserved": "2026-03-03T17:50:11.242Z",
"dateUpdated": "2026-03-09T19:57:44.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-29038",
"date": "2026-04-14",
"epss": "0.00039",
"percentile": "0.11503"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-29038\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T07:16:01.393\",\"lastModified\":\"2026-03-10T19:38:06.313\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.\"},{\"lang\":\"es\",\"value\":\"changedetection.io es una herramienta gratuita de c\u00f3digo abierto para la detecci\u00f3n de cambios en p\u00e1ginas web. Antes de la versi\u00f3n 0.54.4, existe una vulnerabilidad de cross-site scripting (XSS) reflejado identificada en el endpoint /rss/tag/ de changedetection.io. El par\u00e1metro de ruta tag_uuid se refleja directamente en el cuerpo de la respuesta HTTP sin escape HTML. Dado que Flask devuelve text/html por defecto para respuestas de cadena de texto plano, el navegador analiza y ejecuta JavaScript inyectado. Este problema ha sido parcheado en la versi\u00f3n 0.54.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.54.4\",\"matchCriteriaId\":\"B4C1D55D-C25D-433D-98EA-A9C3336210DE\"}]}]}],\"references\":[{\"url\":\"https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T19:57:33.784446Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T19:57:40.273Z\"}}], \"cna\": {\"title\": \"changedetection.io: Reflected XSS in RSS Tag Error Response\", \"source\": {\"advisory\": \"GHSA-8whx-v8qq-pq64\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"dgtlmoon\", \"product\": \"changedetection.io\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.54.4\"}]}], \"references\": [{\"url\": \"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64\", \"name\": \"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780\", \"name\": \"https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4\", \"name\": \"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T06:53:56.959Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-29038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T19:57:44.702Z\", \"dateReserved\": \"2026-03-03T17:50:11.242Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T06:53:56.959Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-29038
Vulnerability from fkie_nvd - Published: 2026-03-06 07:16 - Updated: 2026-03-10 19:38
Severity ?
Summary
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| webtechnologies | changedetection | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4C1D55D-C25D-433D-98EA-A9C3336210DE",
"versionEndExcluding": "0.54.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4."
},
{
"lang": "es",
"value": "changedetection.io es una herramienta gratuita de c\u00f3digo abierto para la detecci\u00f3n de cambios en p\u00e1ginas web. Antes de la versi\u00f3n 0.54.4, existe una vulnerabilidad de cross-site scripting (XSS) reflejado identificada en el endpoint /rss/tag/ de changedetection.io. El par\u00e1metro de ruta tag_uuid se refleja directamente en el cuerpo de la respuesta HTTP sin escape HTML. Dado que Flask devuelve text/html por defecto para respuestas de cadena de texto plano, el navegador analiza y ejecuta JavaScript inyectado. Este problema ha sido parcheado en la versi\u00f3n 0.54.4."
}
],
"id": "CVE-2026-29038",
"lastModified": "2026-03-10T19:38:06.313",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-06T07:16:01.393",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-8WHX-V8QQ-PQ64
Vulnerability from github – Published: 2026-03-04 20:58 – Updated: 2026-03-06 21:57
VLAI?
Summary
changedetection.io has Reflected XSS in its RSS Tag Error Response
Details
A reflected cross-site scripting (XSS) vulnerability was identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version 0.54.1, which patched the related XSS in /rss/watch/ (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
Package
- Ecosystem: pip
- Package: changedetection.io
- Affected versions: <= 0.54.1
- Patched versions: (none yet)
Severity
Moderate - CVSS 6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
File: changedetectionio/blueprint/rss/tag.py Line: 36 Source: tag.py @ 1d72716
The tag_uuid parameter from the URL path is interpolated into the response body using an f-string with no escaping:
tag = datastore.data['settings']['application'].get('tags', {}).get(tag_uuid)
if not tag:
return f"Tag with UUID {tag_uuid} not found", 404 # ← No escaping, Content-Type: text/html
Flask's default Content-Type for plain string responses is text/html; charset=utf-8, so any HTML/JavaScript injected via {tag_uuid} is rendered and executed by the browser.
Relationship to CVE-2026-27645
CVE-2026-27645 (GHSA-mw8m-398g-h89w) addressed the identical vulnerability pattern in /rss/watch/ (single_watch.py). The fix applied in v0.54.1 patched that endpoint but did not fix the same pattern in /rss/tag/ (tag.py). Testing confirms:
/rss/watch/on v0.54.1 — Returns generic 404 page, XSS no longer triggers ✅/rss/tag/on v0.54.1 — XSS payload still fires, vulnerability confirmed ❌
Attack Vector
The attack requires a valid RSS access token, which is a 32-character hex string exposed in the <link> HTML tag on the homepage without authentication:
- Attacker visits the target's homepage (if unauthenticated) and extracts the RSS token from the
<link>tag -
Crafts a malicious URL:
``` http://target:5000/rss/tag/
?token=EXTRACTED_TOKEN
```
-
Sends the link to a victim who has an active session on the changedetection.io instance
-
When the victim clicks the link, the server responds with:
``` Tag with UUID
```
-
The browser renders the
<img>tag, theonerrorfires, and JavaScript executes in the victim's session context
Proof of Concept
Request
GET /rss/tag/%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E?token=60b83b06df98b24c66367bc3d233105b HTTP/1.1
Host: localhost:5000
Response
HTTP/1.1 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Tag with UUID <img src=x onerror=alert(document.domain)> not found
The XSS payload is reflected unescaped in an HTML response. The browser executes alert(document.domain) and displays "localhost", confirming JavaScript execution.
Tested on: changedetection.io v0.54.1 (Docker, localhost, Feb 25, 2026)
https://github.com/user-attachments/assets/6db07f6a-6df8-48a7-a597-9f39dfa1bb29
Impact
- Session cookie theft via
document.cookieexfiltration - Account takeover if session cookies lack the
HttpOnlyflag - Phishing via crafted links that appear to originate from a trusted changedetection.io instance
- Low exploitation barrier - the RSS token is obtainable without authentication from the homepage
<link>tag - Widespread exposure - prior scanning of internet-facing instances (during CVE-2026-27645 research) identified 500+ publicly accessible deployments
Suggested Fix
Escape the tag_uuid parameter before reflecting it in the response, or set the Content-Type to text/plain:
Option A: HTML Escape (Recommended)
from markupsafe import escape
if not tag:
return f"Tag with UUID {escape(tag_uuid)} not found", 404
Option B: Set Content-Type to text/plain
from flask import make_response
if not tag:
resp = make_response(f"Tag with UUID {tag_uuid} not found", 404)
resp.headers['Content-Type'] = 'text/plain; charset=utf-8'
return resp
Credits
- Roberto Nunes (@Akokonunes) - Reporter
- neo-ai-engineer (@neo-ai-engineer) - Reporter
References
- Related advisory: GHSA-mw8m-398g-h89w (CVE-2026-27645)
- Vulnerable source: tag.py @ 1d72716
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "changedetection.io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.54.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29038"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T20:58:14Z",
"nvd_published_at": "2026-03-06T07:16:01Z",
"severity": "MODERATE"
},
"details": "A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.\n\nThis vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.\n\n## Package\n\n- **Ecosystem:** pip\n- **Package:** changedetection.io\n- **Affected versions:** \u003c= 0.54.1\n- **Patched versions:** _(none yet)_\n\n\n## Severity\n**Moderate - CVSS 6.1**\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`\n\n\n## Details\n**File:** `changedetectionio/blueprint/rss/tag.py` **Line:** 36 **Source:** [tag.py @ 1d72716](https://raw.githubusercontent.com/dgtlmoon/changedetection.io/1d72716c6988a4f6796bb85a5d42872800cd7a70/changedetectionio/blueprint/rss/tag.py)\n\nThe `tag_uuid` parameter from the URL path is interpolated into the response body using an f-string with no escaping:\n\n```python\ntag = datastore.data[\u0027settings\u0027][\u0027application\u0027].get(\u0027tags\u0027, {}).get(tag_uuid)\nif not tag:\n return f\"Tag with UUID {tag_uuid} not found\", 404 # \u2190 No escaping, Content-Type: text/html\n\n```\n\nFlask\u0027s default `Content-Type` for plain string responses is `text/html; charset=utf-8`, so any HTML/JavaScript injected via `{tag_uuid}` is rendered and executed by the browser.\n\n### Relationship to CVE-2026-27645\n\nCVE-2026-27645 (GHSA-mw8m-398g-h89w) addressed the identical vulnerability pattern in `/rss/watch/` (`single_watch.py`). The fix applied in v0.54.1 patched that endpoint but **did not** fix the same pattern in `/rss/tag/` (`tag.py`). Testing confirms:\n\n- **`/rss/watch/` on v0.54.1** \u2014 Returns generic 404 page, XSS no longer triggers \u2705\n- **`/rss/tag/` on v0.54.1** \u2014 XSS payload still fires, vulnerability confirmed \u274c\n\n## Attack Vector\n\nThe attack requires a valid RSS access token, which is a 32-character hex string exposed in the `\u003clink\u003e` HTML tag on the homepage without authentication:\n\n1. Attacker visits the target\u0027s homepage (if unauthenticated) and extracts the RSS token from the `\u003clink\u003e` tag\n2. Crafts a malicious URL:\n \n ```\n http://target:5000/rss/tag/\u003cimg src=x onerror=alert(document.cookie)\u003e?token=EXTRACTED_TOKEN\n \n ```\n \n3. Sends the link to a victim who has an active session on the changedetection.io instance\n4. When the victim clicks the link, the server responds with:\n \n ```\n Tag with UUID \u003cimg src=x onerror=alert(document.cookie)\u003e not found\n \n ```\n \n5. The browser renders the `\u003cimg\u003e` tag, the `onerror` fires, and JavaScript executes in the victim\u0027s session context\n\n## Proof of Concept\n\n### Request\n\n```http\nGET /rss/tag/%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E?token=60b83b06df98b24c66367bc3d233105b HTTP/1.1\nHost: localhost:5000\n\n```\n\n### Response\n\n```http\nHTTP/1.1 404 NOT FOUND\nContent-Type: text/html; charset=utf-8\n\nTag with UUID \u003cimg src=x onerror=alert(document.domain)\u003e not found\n\n```\n\nThe XSS payload is reflected unescaped in an HTML response. The browser executes `alert(document.domain)` and displays \"localhost\", confirming JavaScript execution.\n\n**Tested on:** changedetection.io v0.54.1 (Docker, localhost, Feb 25, 2026)\n\n\nhttps://github.com/user-attachments/assets/6db07f6a-6df8-48a7-a597-9f39dfa1bb29\n\n\n## Impact\n\n- **Session cookie theft** via `document.cookie` exfiltration\n- **Account takeover** if session cookies lack the `HttpOnly` flag\n- **Phishing** via crafted links that appear to originate from a trusted changedetection.io instance\n- **Low exploitation barrier** - the RSS token is obtainable without authentication from the homepage `\u003clink\u003e` tag\n- **Widespread exposure** - prior scanning of internet-facing instances (during CVE-2026-27645 research) identified 500+ publicly accessible deployments\n\n## Suggested Fix\n\nEscape the `tag_uuid` parameter before reflecting it in the response, or set the `Content-Type` to `text/plain`:\n\n### Option A: HTML Escape (Recommended)\n\n```python\nfrom markupsafe import escape\n\nif not tag:\n return f\"Tag with UUID {escape(tag_uuid)} not found\", 404\n\n```\n\n### Option B: Set Content-Type to text/plain\n\n```python\nfrom flask import make_response\n\nif not tag:\n resp = make_response(f\"Tag with UUID {tag_uuid} not found\", 404)\n resp.headers[\u0027Content-Type\u0027] = \u0027text/plain; charset=utf-8\u0027\n return resp\n\n```\n## Credits\n\n- **Roberto Nunes** ([@Akokonunes](https://github.com/Akokonunes)) - Reporter\n- **neo-ai-engineer** ([@neo-ai-engineer](https://github.com/neo-ai-engineer)) - Reporter\n\n## References\n- Related advisory: [GHSA-mw8m-398g-h89w](https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w) (CVE-2026-27645)\n- Vulnerable source: [tag.py @ 1d72716](https://raw.githubusercontent.com/dgtlmoon/changedetection.io/1d72716c6988a4f6796bb85a5d42872800cd7a70/changedetectionio/blueprint/rss/tag.py)",
"id": "GHSA-8whx-v8qq-pq64",
"modified": "2026-03-06T21:57:09Z",
"published": "2026-03-04T20:58:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29038"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgtlmoon/changedetection.io"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "changedetection.io has Reflected XSS in its RSS Tag Error Response"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…