PyPI package
changedetection.io
pkg:pypi/changedetection.io
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-43891 | Hig | 7.5 | < 0.55.1 | 0.55.1 | May 12, 2026 | changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, | |
| CVE-2026-41895 | Hig | 7.5 | <= 0.54.9 | — | May 12, 2026 | changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or | |
| CVE-2026-35490 | Cri | 9.8 | < 0.54.8 | 0.54.8 | Apr 7, 2026 | changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the funct | |
| CVE-2026-33981 | Med | 6.5 | < 0.54.7 | 0.54.7 | Mar 27, 2026 | changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated use | |
| CVE-2026-29065 | — | < 0.54.4 | 0.54.4 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54. | ||
| CVE-2026-29039 | — | < 0.54.4 | 0.54.4 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the element | ||
| CVE-2026-29038 | — | < 0.54.4 | 0.54.4 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTT | ||
| CVE-2026-27696 | — | < 0.54.1 | 0.54.1 | Feb 25, 2026 | changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watc | ||
| CVE-2026-27645 | — | < 0.53.7 | 0.53.7 | Feb 25, 2026 | changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string | ||
| CVE-2025-62780 | — | < 0.50.34 | 0.50.34 | Nov 10, 2025 | changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can ins | ||
| CVE-2025-52558 | Hig | — | < 0.50.4 | 0.50.4 | Jun 23, 2025 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS) v | |
| CVE-2024-56509 | Hig | 8.6 | < 0.48.05 | 0.48.05 | Dec 27, 2024 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur | |
| CVE-2024-51998 | Hig | 8.6 | < 0.47.6 | 0.47.6 | Nov 8, 2024 | changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` fals | |
| CVE-2024-51483 | Med | — | < 0.47.5 | 0.47.5 | Nov 1, 2024 | changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Vers | |
| CVE-2024-34061 | Med | 4.3 | < 0.45.22 | 0.45.22 | May 2, 2024 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS vulnerab | |
| CVE-2024-32651 | Cri | 10.0 | < 0.45.21 | 0.45.21 | Apr 26, 2024 | changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command with | |
| CVE-2024-23329 | — | >= 0.39.14, < 0.45.13 | 0.45.13 | Jan 19, 2024 | changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, be | ||
| CVE-2023-24769 | — | < 0.40.2 | 0.40.2 | Feb 17, 2023 | Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a ne |
- affected < 0.55.1fixed 0.55.1
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored,
- affected <= 0.54.9
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or
- affected < 0.54.8fixed 0.54.8
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the funct
- affected < 0.54.7fixed 0.54.7
changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated use
- CVE-2026-29065Mar 6, 2026affected < 0.54.4fixed 0.54.4
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.
- CVE-2026-29039Mar 6, 2026affected < 0.54.4fixed 0.54.4
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the element
- CVE-2026-29038Mar 6, 2026affected < 0.54.4fixed 0.54.4
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTT
- CVE-2026-27696Feb 25, 2026affected < 0.54.1fixed 0.54.1
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watc
- CVE-2026-27645Feb 25, 2026affected < 0.53.7fixed 0.53.7
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string
- CVE-2025-62780Nov 10, 2025affected < 0.50.34fixed 0.50.34
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can ins
- affected < 0.50.4fixed 0.50.4
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS) v
- affected < 0.48.05fixed 0.48.05
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur
- affected < 0.47.6fixed 0.47.6
changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` fals
- affected < 0.47.5fixed 0.47.5
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Vers
- affected < 0.45.22fixed 0.45.22
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS vulnerab
- affected < 0.45.21fixed 0.45.21
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command with
- CVE-2024-23329Jan 19, 2024affected >= 0.39.14, < 0.45.13fixed 0.45.13
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, be
- CVE-2023-24769Feb 17, 2023affected < 0.40.2fixed 0.40.2
Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a ne