4 matches found
CVE-2026-35490
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @loginoptionallyrequired decorator is placed before outer to @blueprint.route instead of after it. In Flask, @route must be the outermost decorator because it registers the function it receives. When the...
PYSEC-2026-28
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @loginoptionallyrequired decorator is placed before outer to @blueprint.route instead of after it. In Flask, @route must be the outermost decorator because it registers the function it receives. When the...
CVE-2026-35490 changedetection.io has an Authentication Bypass via Decorator Ordering
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @loginoptionallyrequired decorator is placed before outer to @blueprint.route instead of after it. In Flask, @route must be the outermost decorator because it registers the function it receives. When the...
CVE-2026-35490
CVE-2026-35490 affects changedetection.io before 0.54.8. In Flask, the decorator order was wrong: @login_optionally_required applied before @blueprint.route(), causing the route to register the undecorated function and bypass authentication. The issue affects multiple routes across several bluepr...