Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/39872?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/39872?format=api", "purl": "pkg:pypi/changedetection.io@0.54.1", "type": "pypi", "namespace": "", "name": "changedetection.io", "version": "0.54.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.55.1", "latest_non_vulnerable_version": "0.55.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80757?format=api", "vulnerability_id": "VCID-6r4e-eq4u-yuek", "summary": "changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41895", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14846", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14724", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41895" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-29.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-29.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41895", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41895" }, { "reference_url": "https://github.com/advisories/GHSA-v7cp-2cx9-x793", "reference_id": "GHSA-v7cp-2cx9-x793", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v7cp-2cx9-x793" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793", "reference_id": "GHSA-v7cp-2cx9-x793", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:09:28Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1053930?format=api", "purl": "pkg:pypi/changedetection.io@0.54.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fnhh-j4zf-7ya9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.10" } ], "aliases": [ "CVE-2026-41895", "GHSA-v7cp-2cx9-x793", "PYSEC-2026-29" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6r4e-eq4u-yuek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73979?format=api", "vulnerability_id": "VCID-6vhr-wdcn-byf8", "summary": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29039", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05754", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05731", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29039" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "reference_id": "0.54.4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:58:13Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/417d57e5749441e4be9acc4010369bded805d66f", "reference_id": "417d57e5749441e4be9acc4010369bded805d66f", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:58:13Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/417d57e5749441e4be9acc4010369bded805d66f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29039", "reference_id": "CVE-2026-29039", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29039" }, { "reference_url": "https://github.com/advisories/GHSA-6fmw-82m7-jq6p", "reference_id": "GHSA-6fmw-82m7-jq6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6fmw-82m7-jq6p" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6fmw-82m7-jq6p", "reference_id": "GHSA-6fmw-82m7-jq6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:58:13Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6fmw-82m7-jq6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40204?format=api", "purl": "pkg:pypi/changedetection.io@0.54.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" }, { "vulnerability": "VCID-g9np-9kpd-d7hx" }, { "vulnerability": "VCID-u9sm-antt-4yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4" } ], "aliases": [ "CVE-2026-29039", "GHSA-6fmw-82m7-jq6p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6vhr-wdcn-byf8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74067?format=api", "vulnerability_id": "VCID-b36q-52sb-tkd6", "summary": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29038", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05891", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05865", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29038" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "reference_id": "0.54.4", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:57:33Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29038", "reference_id": "CVE-2026-29038", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29038" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780", "reference_id": "ec7d56f85d1e9690fca7cb4711c1fb20dffec780", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:57:33Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780" }, { "reference_url": "https://github.com/advisories/GHSA-8whx-v8qq-pq64", "reference_id": "GHSA-8whx-v8qq-pq64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8whx-v8qq-pq64" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64", "reference_id": "GHSA-8whx-v8qq-pq64", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:57:33Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w", "reference_id": "GHSA-mw8m-398g-h89w", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40204?format=api", "purl": "pkg:pypi/changedetection.io@0.54.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" }, { "vulnerability": "VCID-g9np-9kpd-d7hx" }, { "vulnerability": "VCID-u9sm-antt-4yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4" } ], "aliases": [ "CVE-2026-29038", "GHSA-8whx-v8qq-pq64" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b36q-52sb-tkd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65513?format=api", "vulnerability_id": "VCID-fnhh-j4zf-7ya9", "summary": "changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.1153", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11452", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43891" }, { "reference_url": "https://github.com/advisories/GHSA-8757-69j2-hx56", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8757-69j2-hx56" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-30.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-30.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43891", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43891" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56", "reference_id": "GHSA-8757-69j2-hx56", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:36:12Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56" }, { "reference_url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44", "reference_id": "GHSA-w6p7-2fxx-4f44", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376013?format=api", "purl": "pkg:pypi/changedetection.io@0.55.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.55.1" } ], "aliases": [ "CVE-2026-43891", "GHSA-8757-69j2-hx56", "PYSEC-2026-30" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fnhh-j4zf-7ya9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78203?format=api", "vulnerability_id": "VCID-g9np-9kpd-d7hx", "summary": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33981", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04917", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04921", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33981" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33981", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33981" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "reference_id": "0.54.7", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:36:19Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f", "reference_id": "65517a9c74a0cbe1a4661314470b28131ef5557f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:36:19Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f" }, { "reference_url": "https://github.com/advisories/GHSA-58r7-4wr5-hfx8", "reference_id": "GHSA-58r7-4wr5-hfx8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-58r7-4wr5-hfx8" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "reference_id": "GHSA-58r7-4wr5-hfx8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:36:19Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375068?format=api", "purl": "pkg:pypi/changedetection.io@0.54.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" }, { "vulnerability": "VCID-u9sm-antt-4yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.7" } ], "aliases": [ "CVE-2026-33981", "GHSA-58r7-4wr5-hfx8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9np-9kpd-d7hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74002?format=api", "vulnerability_id": "VCID-tkfe-t9cg-yqb3", "summary": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29065", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09373", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.0932", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29065" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "reference_id": "0.54.4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:59:02Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa", "reference_id": "1d7d812eb0faab37042246e2fbce04f29bb1b3aa", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:59:02Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29065", "reference_id": "CVE-2026-29065", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29065" }, { "reference_url": "https://github.com/advisories/GHSA-25g8-2mcf-fcx9", "reference_id": "GHSA-25g8-2mcf-fcx9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-25g8-2mcf-fcx9" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9", "reference_id": "GHSA-25g8-2mcf-fcx9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-09T19:59:02Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40204?format=api", "purl": "pkg:pypi/changedetection.io@0.54.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" }, { "vulnerability": "VCID-g9np-9kpd-d7hx" }, { "vulnerability": "VCID-u9sm-antt-4yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.4" } ], "aliases": [ "CVE-2026-29065", "GHSA-25g8-2mcf-fcx9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tkfe-t9cg-yqb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71878?format=api", "vulnerability_id": "VCID-u9sm-antt-4yh9", "summary": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09302", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09249", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35490" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-28.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-28.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35490", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35490" }, { "reference_url": "https://github.com/advisories/GHSA-jmrh-xmgh-x9j4", "reference_id": "GHSA-jmrh-xmgh-x9j4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jmrh-xmgh-x9j4" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4", "reference_id": "GHSA-jmrh-xmgh-x9j4", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-09T14:36:58Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374156?format=api", "purl": "pkg:pypi/changedetection.io@0.54.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.8" } ], "aliases": [ "CVE-2026-35490", "GHSA-jmrh-xmgh-x9j4", "PYSEC-2026-28" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u9sm-antt-4yh9" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79732?format=api", "vulnerability_id": "VCID-gcdt-mdbg-f7c3", "summary": "changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06409", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.0639", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27696" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dgtlmoon/changedetection.io" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27696", "reference_id": "CVE-2026-27696", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27696" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b", "reference_id": "fe7aa38c651d73fe5f41ce09855fa8f97193747b", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-25T14:51:00Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b" }, { "reference_url": "https://github.com/advisories/GHSA-3c45-4pj5-ch7m", "reference_id": "GHSA-3c45-4pj5-ch7m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3c45-4pj5-ch7m" }, { "reference_url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-3c45-4pj5-ch7m", "reference_id": "GHSA-3c45-4pj5-ch7m", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-25T14:51:00Z/" } ], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-3c45-4pj5-ch7m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39872?format=api", "purl": "pkg:pypi/changedetection.io@0.54.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6r4e-eq4u-yuek" }, { "vulnerability": "VCID-6vhr-wdcn-byf8" }, { "vulnerability": "VCID-b36q-52sb-tkd6" }, { "vulnerability": "VCID-fnhh-j4zf-7ya9" }, { "vulnerability": "VCID-g9np-9kpd-d7hx" }, { "vulnerability": "VCID-tkfe-t9cg-yqb3" }, { "vulnerability": "VCID-u9sm-antt-4yh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.1" } ], "aliases": [ "CVE-2026-27696", "GHSA-3c45-4pj5-ch7m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gcdt-mdbg-f7c3" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection.io@0.54.1" }