Search for packages
| purl | pkg:pypi/changedetection-io@0.45.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6aa7-urwd-tqgw
Aliases: CVE-2026-41895 GHSA-v7cp-2cx9-x793 PYSEC-2026-29 |
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...). |
Affected by 1 other vulnerability. |
|
VCID-a156-qupb-eqcv
Aliases: CVE-2025-62780 GHSA-4c3j-3h7v-22q9 PYSEC-2025-91 |
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-ek84-hjsn-yya7
Aliases: CVE-2026-35490 GHSA-jmrh-xmgh-x9j4 PYSEC-2026-28 |
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8. |
Affected by 2 other vulnerabilities. |
|
VCID-esz6-geex-bucb
Aliases: CVE-2024-23329 GHSA-hcvp-2cc7-jrwr PYSEC-2024-15 |
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 4 other vulnerabilities. |
|
VCID-f4ss-7wu5-wqde
Aliases: CVE-2026-43891 GHSA-8757-69j2-hx56 PYSEC-2026-30 |
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||