6.1
CVE-2026-29038
- EPSS 0.28%
- Veröffentlicht 06.03.2026 07:16:01
- Zuletzt bearbeitet 10.03.2026 19:38:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginchangedetection.io: Reflected XSS in RSS Tag Error Response
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webtechnologies ≫ Changedetection Version < 0.54.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.197 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780
https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64