Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/changedetection-io@0.49.5
Typepypi
Namespace
Namechangedetection-io
Version0.49.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.55.1
Latest_non_vulnerable_version0.55.1
Affected_by_vulnerabilities
0
url VCID-6154-3xru-6bdz
vulnerability_id VCID-6154-3xru-6bdz
summary changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56
1
reference_url https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44
fixed_packages
0
url pkg:pypi/changedetection-io@0.55.1
purl pkg:pypi/changedetection-io@0.55.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.55.1
aliases CVE-2026-43891, PYSEC-2026-30
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6154-3xru-6bdz
1
url VCID-a7m7-dqk3-muf7
vulnerability_id VCID-a7m7-dqk3-muf7
summary changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
references
0
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793
fixed_packages
0
url pkg:pypi/changedetection-io@0.54.10
purl pkg:pypi/changedetection-io@0.54.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6154-3xru-6bdz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.54.10
aliases CVE-2026-41895, GHSA-v7cp-2cx9-x793, PYSEC-2026-29
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a7m7-dqk3-muf7
2
url VCID-fj66-qw6n-nfa6
vulnerability_id VCID-fj66-qw6n-nfa6
summary changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io
1
reference_url https://github.com/dgtlmoon/changedetection.io/issues/3562
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/issues/3562
2
reference_url https://github.com/dgtlmoon/changedetection.io/pull/3564
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/pull/3564
3
reference_url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.50.34
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.50.34
4
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4c3j-3h7v-22q9
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62780
reference_id CVE-2025-62780
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-62780
6
reference_url https://github.com/advisories/GHSA-4c3j-3h7v-22q9
reference_id GHSA-4c3j-3h7v-22q9
reference_type
scores
url https://github.com/advisories/GHSA-4c3j-3h7v-22q9
fixed_packages
0
url pkg:pypi/changedetection-io@0.50.34
purl pkg:pypi/changedetection-io@0.50.34
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6154-3xru-6bdz
1
vulnerability VCID-a7m7-dqk3-muf7
2
vulnerability VCID-pnn6-ap8j-6qhv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.50.34
aliases CVE-2025-62780, GHSA-4c3j-3h7v-22q9, PYSEC-2025-91
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fj66-qw6n-nfa6
3
url VCID-pnn6-ap8j-6qhv
vulnerability_id VCID-pnn6-ap8j-6qhv
summary changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4
fixed_packages
0
url pkg:pypi/changedetection-io@0.54.8
purl pkg:pypi/changedetection-io@0.54.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6154-3xru-6bdz
1
vulnerability VCID-a7m7-dqk3-muf7
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.54.8
aliases CVE-2026-35490, GHSA-jmrh-xmgh-x9j4, PYSEC-2026-28
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pnn6-ap8j-6qhv
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.49.5