Search for packages
| purl | pkg:pypi/changedetection.io@0.52.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6r4e-eq4u-yuek
Aliases: CVE-2026-41895 GHSA-v7cp-2cx9-x793 PYSEC-2026-29 |
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...). |
Affected by 1 other vulnerability. |
|
VCID-6vhr-wdcn-byf8
Aliases: CVE-2026-29039 GHSA-6fmw-82m7-jq6p |
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4. |
Affected by 4 other vulnerabilities. |
|
VCID-b36q-52sb-tkd6
Aliases: CVE-2026-29038 GHSA-8whx-v8qq-pq64 |
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4. |
Affected by 4 other vulnerabilities. |
|
VCID-fnhh-j4zf-7ya9
Aliases: CVE-2026-43891 GHSA-8757-69j2-hx56 PYSEC-2026-30 |
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1. |
Affected by 0 other vulnerabilities. |
|
VCID-g9np-9kpd-d7hx
Aliases: CVE-2026-33981 GHSA-58r7-4wr5-hfx8 |
changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-gcdt-mdbg-f7c3
Aliases: CVE-2026-27696 GHSA-3c45-4pj5-ch7m |
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue. |
Affected by 7 other vulnerabilities. |
|
VCID-mfn1-axbk-suf9
Aliases: CVE-2026-27645 GHSA-mw8m-398g-h89w |
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-tkfe-t9cg-yqb3
Aliases: CVE-2026-29065 GHSA-25g8-2mcf-fcx9 |
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4. |
Affected by 4 other vulnerabilities. |
|
VCID-u9sm-antt-4yh9
Aliases: CVE-2026-35490 GHSA-jmrh-xmgh-x9j4 PYSEC-2026-28 |
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||