108 matches found
PT-2026-28583
Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.7 Description The jq: and jqraw: include filter expressions in changedetection.io allow the use of the jq env builtin, which reads all process environment variables and stores them as the watch snapsho...
CVE-2026-29038
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting XSS vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The taguuid path parameter is reflected directly in the HTTP response body...
CVE-2026-29065
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4...
CVE-2026-29039
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...
Path Traversal
changedetection.io is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths during the backup restore process, which allows an attacker to upload a crafted ZIP archive containing path traversal sequences and overwrite arbitrary files on the system...
CVE-2026-29039
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...
CVE-2026-29065 changedetection.io: Zip Slip vulnerability in the backup restore functionality
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4...
CVE-2026-29039
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...
CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...
CVE-2026-29038 changedetection.io: Reflected XSS in RSS Tag Error Response
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting XSS vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The taguuid path parameter is reflected directly in the HTTP response body...
changedetection.io 代码注入漏洞
changedetection.io is a website-based application developed by dgtlmoon, designed for code inspection, monitoring, and notification. Versions of changedetection.io prior to 0.54.4 contained a code injection vulnerability. This vulnerability stemmed from unvalidated or uncleaned XPath expressions,...
Arbitrary Code Injection
Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Arbitrary Code Injection via the unparsed-text function in XPath expressions processed by the application. An attacker can access and read arbitrary files from the...
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text()
Summary - The changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. - XPath 3.0 includes the unparsed-text function...
EUVD-2026-8622
changedetection.io is Vulnerable to SSRF via Watch URLs...
GHSA-MW8M-398G-H89W changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
Summary Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version 0.53.6 it was additionally validated at scale against 500...
CVE-2026-27696 changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private,...
CVE-2026-27696 changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private,...
CVE-2026-27696 changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private,...
CVE-2026-27696
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private,...
CVE-2026-27645
CVE-2026-27645 : In affected changedetection.io versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Because Flask returns text/html by default for plain string responses, the browser may parse and execu...