changedetection.io 代码问题漏洞

changedetection.io is a website-based application developed by dgtlmoon, designed for code inspection, monitoring, and notification. Versions of changedetection.io prior to 0.54.9 contained a code vulnerability. This vulnerability stemmed from the xpathfilter function not disabling external entit...

CVE-2026-29038

CVE-2026-29038 affects changedetection.io before version 0.54.4. The vulnerability is a reflected XSS in the /rss/tag/ endpoint where the URL path parameter tag_uuid is reflected in the HTTP response body without HTML escaping. Flask returns text/html by default for plain strings, enabling the br...

PT-2026-23090

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.4 Description The changedetection.io application allows users to specify XPath expressions as content filters via the include filters field. These XPath expressions are processed using the elementpath...

CVE-2026-25527

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the /static// route accepts group="..", which causes sendfromdirectory"static/..", filename to execute. This moves the base directory up to /app/changedetectionio, enabling unauthenticated local...

CVE-2026-25527 changedetection.io vulnerable to unauthenticated static path traversal

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the /static// route accepts group="..", which causes sendfromdirectory"static/..", filename to execute. This moves the base directory up to /app/changedetectionio, enabling unauthenticated local...