Dgtlmoon Changedetection.Io vulnerabilities
20 known vulnerabilities affecting dgtlmoon/changedetection.io.
Total CVEs
20
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH7MEDIUM9LOW1
Vulnerabilities
Page 1 of 1
CVE-2024-32651P1CRITICALCVSS 10.0PoC≤ 0.45.202024-04-26
CVE-2024-32651 [CRITICAL] CWE-1336 CVE-2024-32651: changedetection.io is an open source web page change detection, website watcher, restock monitor and
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact i
ghsanvd
CVE-2024-51483P3MEDIUMCVSS 6.9PoCfixed in 0.47.52024-11-01
CVE-2024-51483 [MEDIUM] CWE-22 CVE-2024-51483: changedetection.io is free, open source web page change detection software. Prior to version 0.47.5,
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5 fixes the issue.
ghsanvd
CVE-2026-25527P3MEDIUMCVSS 5.3PoCfixed in 0.53.22026-02-19
CVE-2026-25527 [MEDIUM] CWE-22 CVE-2026-25527: changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g.
nvd
CVE-2026-29065P3CRITICALCVSS 9.1fixed in 0.54.42026-03-06
CVE-2026-29065 [CRITICAL] CWE-22 CVE-2026-29065: changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.
ghsanvd
CVE-2026-27645P3MEDIUMCVSS 6.1PoCfixed in 0.54.12026-02-25
CVE-2026-27645 [MEDIUM] CWE-79 CVE-2026-27645: changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version
ghsanvd
CVE-2026-35490P3CRITICALCVSS 9.8fixed in 0.54.82026-04-07
CVE-2026-35490 [CRITICAL] CWE-863 CVE-2026-35490: changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the o
ghsanvd
CVE-2025-62780P3MEDIUMCVSS 5.4PoCfixed in 0.50.342025-11-10
CVE-2025-62780 [MEDIUM] CWE-79 CVE-2025-62780: changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripti
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page.
ghsanvd
CVE-2026-27696P3HIGHCVSS 8.6fixed in 0.54.12026-02-25
CVE-2026-27696 [HIGH] CWE-918 CVE-2026-27696: changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authen
ghsanvd
CVE-2024-51998P3HIGHCVSS 8.6fixed in 0.47.062024-11-08
CVE-2024-51998 [HIGH] CWE-22 CVE-2024-51998: changedetection.io is a free open source web page change detection tool. The validation for the file
changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. The check used for URL protocol, `is_safe_url`, allows `
ghsanvd
CVE-2024-56509P3HIGHCVSS 8.6fixed in 0.48.052024-12-27
CVE-2024-56509 [HIGH] CWE-22 CVE-2024-56509: changedetection.io is a free open source web page change detection, website watcher, restock monitor
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur when user input is used to construct file paths without adequate sanitizat
ghsanvd
CVE-2026-29039P3HIGHCVSS 7.5fixed in 0.54.42026-03-06
CVE-2026-29039 [HIGH] CWE-94 CVE-2026-29039: changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 inclu
ghsanvd
CVE-2024-34061P4MEDIUMCVSS 4.3PoCfixed in 0.45.222024-05-02
CVE-2024-34061 [MEDIUM] CWE-79 CVE-2024-34061: changedetection.io is a free open source web page change detection, website watcher, restock monitor
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected o
ghsanvd
CVE-2026-43891P3HIGHCVSS 7.5fixed in 0.55.12026-05-12
CVE-2026-43891 [HIGH] CWE-73 CVE-2026-43891: changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulner
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID d
ghsanvd
CVE-2026-41895P3HIGHCVSS 7.5≤ 0.54.92026-05-12
CVE-2026-41895 [HIGH] CWE-611 CVE-2026-41895: changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpat
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes
ghsanvd
CVE-2026-35000P3MEDIUMCVSS 6.5fixed in 0.54.72026-04-01
CVE-2026-35000 [MEDIUM] CWE-184 CVE-2026-35000: ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPa
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions
nvd
CVE-2026-33981P3MEDIUMCVSS 6.5fixed in 0.54.72026-03-27
CVE-2026-33981 [MEDIUM] CWE-200 CVE-2026-33981: changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:`
changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can lea
ghsanvd
CVE-2025-52558P4HIGHCVSS 7.0fixed in 0.50.42025-06-23
CVE-2025-52558 [HIGH] CWE-79 CVE-2025-52558: changedetection.io is a free open source web page change detection, website watcher, restock monitor
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS) vulnerability. This issue has been patched in version 0.50.4
ghsanvd
CVE-2026-29038P4MEDIUMCVSS 6.1fixed in 0.54.42026-03-06
CVE-2026-29038 [MEDIUM] CWE-79 CVE-2026-29038: changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by
ghsanvd
CVE-2023-24769P4MEDIUM≥ 0, < 0.40.22023-02-18
CVE-2023-24769 [MEDIUM] CWE-79 Stored cross site scripting in changedetection.io
Stored cross site scripting in changedetection.io
Changedetection.io before 0.40.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.
ghsa
CVE-2024-23329P4LOWCVSS 3.7v>= 0.39.14, < 0.45.132024-01-19
CVE-2024-23329 [LOW] CWE-863 CVE-2024-23329: changedetection.io is an open source tool designed to monitor websites for content changes. In affe
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history e
ghsanvd