Moderate severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
changedetection.io: Reflected XSS in RSS Tag Error Response
CVE-2026-29038
Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changedetection.ioPyPI | < 0.54.4 | 0.54.4 |
Affected products
2- Range: < 0.54.4
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-8whx-v8qq-pq64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29038ghsaADVISORY
- github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780ghsax_refsource_MISCWEB
- github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4ghsax_refsource_MISCWEB
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64ghsax_refsource_CONFIRMWEB
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89wghsaWEB
News mentions
0No linked articles in our index yet.