VulnerableCode Package Details - pkg:pypi/changedetection-io@0.54.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-6aa7-urwd-tqgw Aliases: CVE-2026-41895 GHSA-v7cp-2cx9-x793 PYSEC-2026-29	changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).	0.54.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ek84-hjsn-yya7 Aliases: CVE-2026-35490 GHSA-jmrh-xmgh-x9j4 PYSEC-2026-28	changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.	0.54.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-f4ss-7wu5-wqde Aliases: CVE-2026-43891 GHSA-8757-69j2-hx56 PYSEC-2026-30	changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.	0.55.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6aa7-urwd-tqgw
Aliases:
CVE-2026-41895
GHSA-v7cp-2cx9-x793
PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).

0.54.10
Affected by 1 other vulnerability.

VCID-ek84-hjsn-yya7
Aliases:
CVE-2026-35490
GHSA-jmrh-xmgh-x9j4
PYSEC-2026-28

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

0.54.8
Affected by 2 other vulnerabilities.

VCID-f4ss-7wu5-wqde
Aliases:
CVE-2026-43891
GHSA-8757-69j2-hx56
PYSEC-2026-30

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.

0.55.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:48:04.095971+00:00	PyPI Importer	Affected by	VCID-f4ss-7wu5-wqde	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:48:03.671493+00:00	PyPI Importer	Affected by	VCID-6aa7-urwd-tqgw	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:47:44.364019+00:00	PyPI Importer	Affected by	VCID-ek84-hjsn-yya7	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-30T20:38:37.798998+00:00	Pypa Importer	Affected by	VCID-f4ss-7wu5-wqde	https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2026-30.yaml	38.6.0
2026-05-30T20:38:36.947005+00:00	Pypa Importer	Affected by	VCID-6aa7-urwd-tqgw	https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2026-29.yaml	38.6.0
2026-05-30T20:37:56.795676+00:00	Pypa Importer	Affected by	VCID-ek84-hjsn-yya7	https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2026-28.yaml	38.6.0