CVE-2026-29038
published 2026-03-06CVE-2026-29038: changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.28%
19.9th percentile
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgtlmoon | changedetection.io | < 0.54.4 | 0.54.4 |
| dgtlmoon | changedetection.io | >= 0 < 0.54.4 | 0.54.4 |
| webtechnologies | changedetection | < 0.54.4 | 0.54.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
changedetection.io has Reflected XSS in its RSS Tag Error Response
ghsa·2026-03-04·CVSS 6.1
CVE-2026-29038 [MEDIUM] CWE-79 changedetection.io has Reflected XSS in its RSS Tag Error Response
changedetection.io has Reflected XSS in its RSS Tag Error Response
A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
## Package
- **Ecosystem:** pip
- **Package:** changedetection.io
- **Affected versions:** ` HTML tag on the homepage without authentication:
1. Attacker visits the target's homepa
OSV
changedetection.io has Reflected XSS in its RSS Tag Error Response
osv·2026-03-04·CVSS 6.1
CVE-2026-29038 [MEDIUM] changedetection.io has Reflected XSS in its RSS Tag Error Response
changedetection.io has Reflected XSS in its RSS Tag Error Response
A reflected cross-site scripting (XSS) vulnerability was identified in the `/rss/tag/` endpoint of changedetection.io. The `tag_uuid` path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns `text/html` by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version **0.54.1**, which patched the related XSS in `/rss/watch/` (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
## Package
- **Ecosystem:** pip
- **Package:** changedetection.io
- **Affected versions:** ` HTML tag on the homepage without authentication:
1. Attacker visits the target's homepa
No detection rules found.
No public exploits indexed.
2026-03-06
Published