Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mfn1-axbk-suf9
Vulnerability ID VCID-mfn1-axbk-suf9
Aliases CVE-2026-27645
GHSA-mw8m-398g-h89w
Summary changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00715 https://api.first.org/data/v1/epss?cve=CVE-2026-27645
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mw8m-398g-h89w
cvssv3.1 6.1 https://github.com/dgtlmoon/changedetection.io
generic_textual MODERATE https://github.com/dgtlmoon/changedetection.io
cvssv3.1 6.1 https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
generic_textual MODERATE https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
ssvc Track https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
cvssv3.1 6.1 https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
cvssv3.1_qr MODERATE https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
generic_textual MODERATE https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
ssvc Track https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2026-27645
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-27645
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27645
https://github.com/dgtlmoon/changedetection.io
a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5 https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
CVE-2026-27645 https://nvd.nist.gov/vuln/detail/CVE-2026-27645
GHSA-mw8m-398g-h89w https://github.com/advisories/GHSA-mw8m-398g-h89w
GHSA-mw8m-398g-h89w https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/dgtlmoon/changedetection.io
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T14:55:52Z/ Found at https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-25T14:55:52Z/ Found at https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27645
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.72825
EPSS Score 0.00715
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:50:46.266259+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/27xxx/CVE-2026-27645.json 38.6.0