VulnerableCode Package Details - pkg:pypi/changedetection.io@0.54.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-d2gt-k5me-8kb7	changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text() - The changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. - XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process.	CVE-2026-29039 GHSA-6fmw-82m7-jq6p
VCID-rkza-pbrx-zkgt	changedetection.io has Reflected XSS in its RSS Tag Error Response A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript. This vulnerability persists in version 0.54.1, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.	CVE-2026-29038 GHSA-8whx-v8qq-pq64
VCID-vwmv-17mb-ubbu	changedetection.io has Zip Slip vulnerability in the backup restore functionality A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.	CVE-2026-29065 GHSA-25g8-2mcf-fcx9

Vulnerability

Summary

Aliases

VCID-d2gt-k5me-8kb7

changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text() - The changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. - XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process.

CVE-2026-29039
GHSA-6fmw-82m7-jq6p

VCID-rkza-pbrx-zkgt

changedetection.io has Reflected XSS in its RSS Tag Error Response A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript. This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.

CVE-2026-29038
GHSA-8whx-v8qq-pq64

VCID-vwmv-17mb-ubbu

changedetection.io has Zip Slip vulnerability in the backup restore functionality A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.

CVE-2026-29065
GHSA-25g8-2mcf-fcx9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:20.956280+00:00	GitLab Importer	Fixing	VCID-d2gt-k5me-8kb7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/changedetection.io/CVE-2026-29039.yml	38.6.0
2026-06-02T04:51:20.045419+00:00	GitLab Importer	Fixing	VCID-rkza-pbrx-zkgt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/changedetection.io/CVE-2026-29038.yml	38.6.0
2026-06-02T04:51:19.874013+00:00	GitLab Importer	Fixing	VCID-vwmv-17mb-ubbu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/changedetection.io/CVE-2026-29065.yml	38.6.0