{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.242Z", "datePublished": "2026-03-06T06:53:56.959Z", "dateUpdated": "2026-03-09T19:57:44.702Z"}, "containers": {"cna": {"title": "changedetection.io: Reflected XSS in RSS Tag Error Response", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64"}, {"name": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780"}, {"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4"}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"version": "< 0.54.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T06:53:56.959Z"}, "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4."}], "source": {"advisory": "GHSA-8whx-v8qq-pq64", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:57:33.784446Z", "id": "CVE-2026-29038", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:57:44.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29038", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:57:33.784446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:57:40.273Z"}}], "cna": {"title": "changedetection.io: Reflected XSS in RSS Tag Error Response", "source": {"advisory": "GHSA-8whx-v8qq-pq64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"status": "affected", "version": "< 0.54.4"}]}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64", "name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780", "name": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T06:53:56.959Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29038", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:57:44.702Z", "dateReserved": "2026-03-03T17:50:11.242Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T06:53:56.959Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4C1D55D-C25D-433D-98EA-A9C3336210DE", "versionEndExcluding": "0.54.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4."}, {"lang": "es", "value": "changedetection.io es una herramienta gratuita de c\u00f3digo abierto para la detecci\u00f3n de cambios en p\u00e1ginas web. Antes de la versi\u00f3n 0.54.4, existe una vulnerabilidad de cross-site scripting (XSS) reflejado identificada en el endpoint /rss/tag/ de changedetection.io. El par\u00e1metro de ruta tag_uuid se refleja directamente en el cuerpo de la respuesta HTTP sin escape HTML. Dado que Flask devuelve text/html por defecto para respuestas de cadena de texto plano, el navegador analiza y ejecuta JavaScript inyectado. Este problema ha sido parcheado en la versi\u00f3n 0.54.4."}], "id": "CVE-2026-29038", "lastModified": "2026-03-10T19:38:06.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T07:16:01.393", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.54.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "changedetection.io", "source": "cna", "vendor": "dgtlmoon"}, "product": "changedetection.io", "vendor": "dgtlmoon"}], "analysis": {"en": {"generated_at": "2026-04-16T11:30:03.276157+00:00", "value": {"mitigation_remediation": ["Update changedetection.io to version 0.54.4 or later, which contains the hard\u2011coded fix for the reflected XSS.", "Validate any user\u2011supplied tag_uuid values on the server side, ensuring they match the expected UUID format and escaping or encoding the output before inclusion in the HTTP response.", "If an upgrade cannot be applied immediately, remove or restrict external access to the /rss/tag endpoint so that browsers cannot load error responses containing untrusted user input."], "summary": {"action": "Patch Immediately", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of changedetection.io from earlier releases up to, but not including, version 0.54.4. The vendor dgtlmoon distributes the affected product as changedetection.io, a free open\u2011source web\u2011page change monitoring tool.", "description_and_impact": "A reflected XSS flaw exists in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is returned unescaped in the HTTP response body when an error occurs. Because Flask sends the response with a text/html content type, browsers render and execute any JavaScript injected into the tag_uuid value. An attacker can exploit this to run arbitrary script in the context of the victim\u2019s browser session, enabling credential theft, session hijacking, or malicious site defacement.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderately high impact, while the EPSS score of less than 1% reflects a very low current exploitation probability. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is via a crafted URL to the /rss/tag/ endpoint that an end\u2011user or automated service might visit; the attacker can embed malicious payloads directly into the tag_uuid path and trick browsers into executing it."}}}}, "created": "2026-03-06T14:55:33.141117+00:00", "updated": "2026-04-16T11:30:15.911586+00:00", "vendors": ["dgtlmoon", "dgtlmoon$PRODUCT$changedetection.io"]}