Changedetection.io
by Dgtlmoon
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32651 | Cri | 0.65 | 10.0 | 0.84 | Apr 26, 2024 | changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command… | ||
| CVE-2026-43891 | Hig | 0.49 | 7.5 | 0.00 | May 12, 2026 | changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored,… | ||
| CVE-2024-56509 | Hig | 0.49 | 8.6 | 0.01 | Dec 27, 2024 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur… | ||
| CVE-2024-51998 | Hig | 0.49 | 8.6 | 0.01 | Nov 8, 2024 | changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI`… | ||
| CVE-2024-51483 | Med | 0.48 | — | 0.02 | Nov 1, 2024 | changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked.… | ||
| CVE-2026-41895 | Hig | 0.42 | 7.5 | 0.00 | May 12, 2026 | changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading,… | ||
| CVE-2025-52558 | Hig | 0.39 | — | 0.01 | Jun 23, 2025 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS)… | ||
| CVE-2026-35000 | Med | 0.35 | 6.5 | 0.00 | Apr 1, 2026 | ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives.… | ||
| CVE-2024-34061 | Med | 0.21 | 4.3 | 0.01 | May 2, 2024 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS… | ||
| CVE-2026-29065 | 0.00 | — | 0.01 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version… | |||
| CVE-2026-29039 | 0.00 | — | 0.00 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the… | |||
| CVE-2026-29038 | 0.00 | — | 0.00 | Mar 6, 2026 | changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the… | |||
| CVE-2026-27696 | 0.00 | — | 0.00 | Feb 25, 2026 | changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of… | |||
| CVE-2026-27645 | 0.00 | — | 0.00 | Feb 25, 2026 | changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain… | |||
| CVE-2026-25527 | 0.00 | — | 0.01 | Feb 19, 2026 | changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to… | |||
| CVE-2025-62780 | 0.00 | — | 0.00 | Nov 10, 2025 | changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can… | |||
| CVE-2024-23329 | 0.00 | — | 0.01 | Jan 19, 2024 | changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However,… |
- risk 0.65cvss 10.0epss 0.84
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command…
- risk 0.49cvss 7.5epss 0.00
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored,…
- risk 0.49cvss 8.6epss 0.01
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur…
- risk 0.49cvss 8.6epss 0.01
changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI`…
- risk 0.48cvss —epss 0.02
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked.…
- risk 0.42cvss 7.5epss 0.00
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading,…
- risk 0.39cvss —epss 0.01
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS)…
- risk 0.35cvss 6.5epss 0.00
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives.…
- risk 0.21cvss 4.3epss 0.01
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS…
- CVE-2026-29065Mar 6, 2026risk 0.00cvss —epss 0.01
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version…
- CVE-2026-29039Mar 6, 2026risk 0.00cvss —epss 0.00
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the…
- CVE-2026-29038Mar 6, 2026risk 0.00cvss —epss 0.00
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the…
- CVE-2026-27696Feb 25, 2026risk 0.00cvss —epss 0.00
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of…
- CVE-2026-27645Feb 25, 2026risk 0.00cvss —epss 0.00
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain…
- CVE-2026-25527Feb 19, 2026risk 0.00cvss —epss 0.01
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to…
- CVE-2025-62780Nov 10, 2025risk 0.00cvss —epss 0.00
changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can…
- CVE-2024-23329Jan 19, 2024risk 0.00cvss —epss 0.01
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However,…