VYPR

Changedetection.io

by Dgtlmoon

pypi: changedetection.io

Source repositories

CVEs (17)

  • CVE-2024-32651CriApr 26, 2024
    risk 0.65cvss 10.0epss 0.84

    changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command…

  • CVE-2026-43891HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored,…

  • CVE-2024-56509HigDec 27, 2024
    risk 0.49cvss 8.6epss 0.01

    changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur…

  • CVE-2024-51998HigNov 8, 2024
    risk 0.49cvss 8.6epss 0.01

    changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI`…

  • CVE-2024-51483MedNov 1, 2024
    risk 0.48cvss epss 0.02

    changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked.…

  • CVE-2026-41895HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading,…

  • CVE-2025-52558HigJun 23, 2025
    risk 0.39cvss epss 0.01

    changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS)…

  • CVE-2026-35000MedApr 1, 2026
    risk 0.35cvss 6.5epss 0.00

    ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives.…

  • CVE-2024-34061MedMay 2, 2024
    risk 0.21cvss 4.3epss 0.01

    changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS…

  • CVE-2026-29065Mar 6, 2026
    risk 0.00cvss epss 0.01

    changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version…

  • CVE-2026-29039Mar 6, 2026
    risk 0.00cvss epss 0.00

    changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the…

  • CVE-2026-29038Mar 6, 2026
    risk 0.00cvss epss 0.00

    changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the…

  • CVE-2026-27696Feb 25, 2026
    risk 0.00cvss epss 0.00

    changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of…

  • CVE-2026-27645Feb 25, 2026
    risk 0.00cvss epss 0.00

    changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain…

  • CVE-2026-25527Feb 19, 2026
    risk 0.00cvss epss 0.01

    changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to…

  • CVE-2025-62780Nov 10, 2025
    risk 0.00cvss epss 0.00

    changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can…

  • CVE-2024-23329Jan 19, 2024
    risk 0.00cvss epss 0.01

    changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However,…