changedetection.io: Reflected XSS in RSS Tag Error Response
Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changedetection.ioPyPI | < 0.54.4 | 0.54.4 |
Affected products
1- Range: < 0.54.4
Patches
1ec7d56f85d1eCVE-2026-29038 - Reflected XSS in RSS Tag Error Response
1 file changed · +1 −1
changedetectionio/blueprint/rss/tag.py+1 −1 modified@@ -7,7 +7,7 @@ def construct_tag_routes(rss_blueprint, datastore): datastore: The ChangeDetectionStore instance """ - @rss_blueprint.route("/tag/<string:tag_uuid>", methods=['GET']) + @rss_blueprint.route("/tag/<uuid_str:tag_uuid>", methods=['GET']) def rss_tag_feed(tag_uuid): from flask import make_response, request, url_for
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8whx-v8qq-pq64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29038ghsaADVISORY
- github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780ghsax_refsource_MISCWEB
- github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4ghsax_refsource_MISCWEB
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64ghsax_refsource_CONFIRMWEB
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89wghsaWEB
News mentions
0No linked articles in our index yet.