CVE-2026-27645

MEDIUM NUCLEI

changedetection.io <0.54.1 - XSS

Title source: llm

Description

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.

Nuclei Templates (1)

Changedetection.io RSS Single Watch - Cross-Site Scripting

MEDIUMVERIFIEDby 0x_Akoko

Shodan: http.title:"Change Detection"

FOFA: title="Change Detection"

References (2)

[Patch] https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w

Scores

CVSS v3 6.1

EPSS 0.0099

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

pypi/changedetection.io 0 - 0.53.7PyPI

webtechnologies/changedetection < 0.54.1

Published Feb 25, 2026

Tracked Since Feb 25, 2026