Vulnerability Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webtechnologies | Changedetection | < 0.54.4 |
Related Weaknesses (CWE)
References
- https://github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711Patch
- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4ProductRelease Notes
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qExploitMitigationVendor Advisory
FAQ
What is CVE-2026-29038?
CVE-2026-29038 is a vulnerability with a CVSS score of 6.1 (MEDIUM). changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of ...
How severe is CVE-2026-29038?
CVE-2026-29038 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29038?
Check the references section above for vendor advisories and patch information. Affected products include: Webtechnologies Changedetection.