changedetection.io 信息泄露漏洞

changedetection.io is a website-based application developed by dgtlmoon, designed for change detection, monitoring, and notification. Versions of changedetection.io prior to 0.54.7 contained a vulnerability related to information leakage. This vulnerability stemmed from the use of filter...

CVE-2026-29065 changedetection.io: Zip Slip vulnerability in the backup restore functionality

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4...

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

CVE-2026-29039

Changedetection.io prior to 0.54.4 is vulnerable to an Arbitrary File Read via XPath in include_filters, where unparsed-text() can read files accessible to the application. Affected component is the XPath-based content filter processing using the elementpath parser. Impact includes reading sensit...

CVE-2026-29038 changedetection.io: Reflected XSS in RSS Tag Error Response

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting XSS vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The taguuid path parameter is reflected directly in the HTTP response body...

changedetection.io 路径遍历漏洞

changedetection.io is a website-based application developed by dgtlmoon, designed for change detection, monitoring, and notification. Versions of changedetection.io prior to 0.54.4 contained a path traversal vulnerability. This vulnerability stemmed from an arbitrary file overwrite vulnerability ...

changedetection.io 跨站脚本漏洞

Changedetection.io is a website change detection, monitoring, and notification application developed by dgtlmoon. Versions of Changedetection.io prior to 0.54.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from the taguuid path parameter in the /rss/tag/ endpoint bei...

changedetection.io has Reflected XSS in its RSS Tag Error Response

A reflected cross-site scripting XSS vulnerability was identified in the /rss/tag/ endpoint of changedetection.io. The taguuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser...

CVE-2026-27645

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the...

GHSA-3C45-4PJ5-CH7M changedetection.io is Vulnerable to SSRF via Watch URLs

Summary Changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user or any user when no password is...

Server-side Request Forgery (SSRF)

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the issafevalidurl function. An attacker can access internal network resources and exfiltrate sensitive data by submitting...

CVE-2026-27696

CVE-2026-27696 affects changedetection.io prior to 0.54.1. The SSRF vulnerability arises because is_safe_valid_url() does not validate the resolved IP against private, loopback, or link-local ranges, allowing an authenticated user (or any user when no password is configured by default) to add wat...

CVE-2026-27645 changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the...

CVE-2026-27645

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the...

CVE-2026-27645 changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the...

PT-2026-21866

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.1 Description The application reflects the UUID path parameter directly in the HTTP response body without HTML escaping in the RSS single-watch endpoint. Because Flask defaults to returning text/html f...

CVE-2026-25527 changedetection.io vulnerable to unauthenticated static path traversal

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the /static// route accepts group="..", which causes sendfromdirectory"static/..", filename to execute. This moves the base directory up to /app/changedetectionio, enabling unauthenticated local...

CVE-2026-25527

Changedetection.io versions prior to 0.53.2 are vulnerable to unauthenticated local file read via path traversal in the /static// route when group=".." is supplied, potentially exposing source files (e.g., flask_app.py). Root cause: send_from_directory("static/..", filename) can escape the app di...

changedetection.io 路径遍历漏洞

Changedetection.io is a website-based application developed by dgtlmoon, designed for file change detection, monitoring, and notification. Versions of changedetection.io prior to 0.53.2 contained a path traversal vulnerability. This vulnerability stemmed from the /static// route accepting the...