{"url":"http://public2.vulnerablecode.io/api/packages/48133?format=json","purl":"pkg:pypi/changedetection-io@0.52.4","type":"pypi","namespace":"","name":"changedetection-io","version":"0.52.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.55.1","latest_non_vulnerable_version":"0.55.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9666?format=json","vulnerability_id":"VCID-6aa7-urwd-tqgw","summary":"changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41895","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14682","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41895"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dgtlmoon/changedetection.io"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:09:28Z/"}],"url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41895","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41895"},{"reference_url":"https://github.com/advisories/GHSA-v7cp-2cx9-x793","reference_id":"GHSA-v7cp-2cx9-x793","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v7cp-2cx9-x793"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49205?format=json","purl":"pkg:pypi/changedetection-io@0.54.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f4ss-7wu5-wqde"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.54.10"}],"aliases":["CVE-2026-41895","GHSA-v7cp-2cx9-x793","PYSEC-2026-29"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6aa7-urwd-tqgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9607?format=json","vulnerability_id":"VCID-ek84-hjsn-yya7","summary":"changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35490","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09274","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35490"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dgtlmoon/changedetection.io"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-09T14:36:58Z/"}],"url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35490","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35490"},{"reference_url":"https://github.com/advisories/GHSA-jmrh-xmgh-x9j4","reference_id":"GHSA-jmrh-xmgh-x9j4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmrh-xmgh-x9j4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48153?format=json","purl":"pkg:pypi/changedetection-io@0.54.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6aa7-urwd-tqgw"},{"vulnerability":"VCID-f4ss-7wu5-wqde"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.54.8"}],"aliases":["CVE-2026-35490","GHSA-jmrh-xmgh-x9j4","PYSEC-2026-28"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ek84-hjsn-yya7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9667?format=json","vulnerability_id":"VCID-f4ss-7wu5-wqde","summary":"changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and  returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43891","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11462","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43891"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dgtlmoon/changedetection.io"},{"reference_url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:36:12Z/"}],"url":"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56"},{"reference_url":"https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43891","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43891"},{"reference_url":"https://github.com/advisories/GHSA-8757-69j2-hx56","reference_id":"GHSA-8757-69j2-hx56","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8757-69j2-hx56"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49206?format=json","purl":"pkg:pypi/changedetection-io@0.55.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.55.1"}],"aliases":["CVE-2026-43891","GHSA-8757-69j2-hx56","PYSEC-2026-30"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ss-7wu5-wqde"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/changedetection-io@0.52.4"}