13 matches found
CVE-2024-23329
Product/issue: changedetection.io Vulnerability: The API endpoint /api/v1/watch//history can be accessed by an unauthorized user, exposing watch history paths. The underlying cause is missing access control on the WatchHistory resource. Impact (as stated): Unauthorized access to watch history wit...
CVE-2023-24769
CVE-2023-24769 affects changedetection.io prior to v0.40.1.1. A stored XSS vulnerability exists on the main page, allowing an attacker to inject arbitrary script/HTML via the URL parameter used by the “Add a new change detection watch” feature. Impact described in sources includes execution of ar...
CVE-2026-27645
CVE-2026-27645 : In affected changedetection.io versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Because Flask returns text/html by default for plain string responses, the browser may parse and execu...
CVE-2026-25527
Changedetection.io versions prior to 0.53.2 are vulnerable to unauthenticated local file read via path traversal in the /static// route when group=".." is supplied, potentially exposing source files (e.g., flask_app.py). Root cause: send_from_directory("static/..", filename) can escape the app di...
CVE-2026-29065
CVE-2026-29065 affects changedetection.io; pre-0.54.4, the backup restore function is vulnerable to Zip Slip (path traversal) in ZIP archives, enabling arbitrary file overwrite outside the extraction directory. Impact is described as high confidentiality and integrity risk with network attacker a...
CVE-2026-33981
Technical details for CVE-2026-33981 are not publicly available in the provided documents. No affected products, impact, or remediation are identifiable here. Monitor for updates .
CVE-2026-35490
CVE-2026-35490 affects changedetection.io before 0.54.8. In Flask, the decorator order was wrong: @login_optionally_required applied before @blueprint.route(), causing the route to register the undecorated function and bypass authentication. The issue affects multiple routes across several bluepr...
CVE-2026-43891
Summary: CVE-2026-43891 and related advisories describe an arbitrary local file read in changedetection.io caused by trusting attacker-controlled history.txt entries restored via crafted backups. Prior to 0.55.1, history values containing path separators are treated as filesystem paths and can re...
CVE-2026-27696
CVE-2026-27696 affects changedetection.io prior to 0.54.1. The SSRF vulnerability arises because is_safe_valid_url() does not validate the resolved IP against private, loopback, or link-local ranges, allowing an authenticated user (or any user when no password is configured by default) to add wat...
CVE-2026-29038
CVE-2026-29038 affects changedetection.io before version 0.54.4. The vulnerability is a reflected XSS in the /rss/tag/ endpoint where the URL path parameter tag_uuid is reflected in the HTTP response body without HTML escaping. Flask returns text/html by default for plain strings, enabling the br...
CVE-2026-29039
Changedetection.io prior to 0.54.4 is vulnerable to an Arbitrary File Read via XPath in include_filters, where unparsed-text() can read files accessible to the application. Affected component is the XPath-based content filter processing using the elementpath parser. Impact includes reading sensit...
CVE-2026-41895
The CVE-2026-41895 entry concerns changedetection.io and documents an XXE vulnerability in its XML/RSS handling. In version 0.54.9 and earlier, xpath_filter() switches to XML mode and constructs etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external D...
CVE-2026-35000
ChangeDetection.io before version 0.54.7 contains a bypass in the SafeXPath3Parser that can read local files by using unblocked XPath 3.0/3.1 functions (e.g., json-doc()) due to an incomplete blocklist. Affected software is ChangeDetection.io; attackers could access sensitive data from the local ...