Executive Summary

CVE-2026-27645 is a reflected Cross-Site Scripting (XSS) vulnerability in the changedetection.io project, specifically in the RSS single-watch endpoint. The issue occurs because the UUID path parameter is directly reflected in the HTTP response body without proper HTML escaping. Since Flask returns a default content type of text/html for plain string responses, any malicious JavaScript injected via the UUID parameter is executed by the browser when the response is rendered.

This vulnerability allows an attacker to craft a malicious URL containing JavaScript code in the UUID parameter. When a victim with an active session clicks this URL, the injected script runs in their browser context, potentially stealing session cookies or performing other malicious actions.

The vulnerability was fixed in version 0.54.1 by enforcing strict UUID validation in route parameters, improving error response handling with proper content types and localization, and adding authentication requirements to relevant routes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several security impacts including:

• Theft of session cookies via JavaScript execution, potentially allowing attackers to hijack user sessions.
• Potential account takeover if session cookies are not protected with the HttpOnly flag.
• Phishing attacks where attackers send crafted URLs that appear to come from trusted changedetection.io instances.
• Because the RSS access token is exposed without authentication, attackers can more easily exploit this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the RSS single-watch endpoint of changedetection.io for reflected Cross-Site Scripting (XSS) by injecting malicious JavaScript payloads into the UUID path parameter and observing if the payload is reflected unescaped in the HTTP response.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a crafted HTTP GET request with a malicious UUID parameter containing JavaScript code, for example:'}, {'type': 'list_item', 'content': 'curl -i "http://<target-host>/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=<RSS_ACCESS_TOKEN>"'}, {'type': 'paragraph', 'content': 'If the response body contains the injected script unescaped (e.g., the <img> tag appears in the response), this indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Note that the RSS access token is required for the request, which can be extracted from the homepage HTML tag without authentication.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade changedetection.io to version 0.54.1 or later, where the vulnerability has been fixed.

The fix includes strict UUID validation in URL parameters, improved error response handling with proper content types and localization, and authentication enforcement on relevant routes to prevent unauthorized exploitation.

Until upgrading, restrict access to the RSS single-watch endpoint and consider invalidating or rotating the RSS access tokens to reduce the risk of exploitation.

Useful 0 Not Useful 0