Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/changedetection.io@0.54.4
Typepypi
Namespace
Namechangedetection.io
Version0.54.4
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version0.40.2
Latest_non_vulnerable_version0.54.4
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-d2gt-k5me-8kb7
vulnerability_id VCID-d2gt-k5me-8kb7
summary 
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text()
- The changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification.

- XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io
1
reference_url https://github.com/dgtlmoon/changedetection.io/commit/417d57e5749441e4be9acc4010369bded805d66f
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/commit/417d57e5749441e4be9acc4010369bded805d66f
2
reference_url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29039
reference_id CVE-2026-29039
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-29039
4
reference_url https://github.com/advisories/GHSA-6fmw-82m7-jq6p
reference_id GHSA-6fmw-82m7-jq6p
reference_type
scores
url https://github.com/advisories/GHSA-6fmw-82m7-jq6p
5
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6fmw-82m7-jq6p
reference_id GHSA-6fmw-82m7-jq6p
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6fmw-82m7-jq6p
fixed_packages
0
url pkg:pypi/changedetection.io@0.54.4
purl pkg:pypi/changedetection.io@0.54.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4
aliases CVE-2026-29039, GHSA-6fmw-82m7-jq6p
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d2gt-k5me-8kb7
1
url VCID-rkza-pbrx-zkgt
vulnerability_id VCID-rkza-pbrx-zkgt
summary 
changedetection.io has Reflected XSS in its RSS Tag Error Response
A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.

This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io
1
reference_url https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780
2
reference_url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29038
reference_id CVE-2026-29038
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-29038
4
reference_url https://github.com/advisories/GHSA-8whx-v8qq-pq64
reference_id GHSA-8whx-v8qq-pq64
reference_type
scores
url https://github.com/advisories/GHSA-8whx-v8qq-pq64
5
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64
reference_id GHSA-8whx-v8qq-pq64
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64
6
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
reference_id GHSA-mw8m-398g-h89w
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
fixed_packages
0
url pkg:pypi/changedetection.io@0.54.4
purl pkg:pypi/changedetection.io@0.54.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4
aliases CVE-2026-29038, GHSA-8whx-v8qq-pq64
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rkza-pbrx-zkgt
2
url VCID-vwmv-17mb-ubbu
vulnerability_id VCID-vwmv-17mb-ubbu
summary 
changedetection.io has Zip Slip vulnerability in the backup restore functionality
A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.
references
0
reference_url https://github.com/dgtlmoon/changedetection.io
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io
1
reference_url https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa
2
reference_url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
reference_id
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29065
reference_id CVE-2026-29065
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-29065
4
reference_url https://github.com/advisories/GHSA-25g8-2mcf-fcx9
reference_id GHSA-25g8-2mcf-fcx9
reference_type
scores
url https://github.com/advisories/GHSA-25g8-2mcf-fcx9
5
reference_url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9
reference_id GHSA-25g8-2mcf-fcx9
reference_type
scores
url https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9
fixed_packages
0
url pkg:pypi/changedetection.io@0.54.4
purl pkg:pypi/changedetection.io@0.54.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4
aliases CVE-2026-29065, GHSA-25g8-2mcf-fcx9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwmv-17mb-ubbu
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4