CVE-2026-27645
Cross-Site Scripting in changedetection.io RSS Endpoint Before
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27645 is a reflected Cross-Site Scripting (XSS) vulnerability in the changedetection.io project, specifically in the RSS single-watch endpoint. The issue occurs because the UUID path parameter is directly reflected in the HTTP response body without proper HTML escaping. Since Flask returns a default content type of text/html for plain string responses, any malicious JavaScript injected via the UUID parameter is executed by the browser when the response is rendered.
This vulnerability allows an attacker to craft a malicious URL containing JavaScript code in the UUID parameter. When a victim with an active session clicks this URL, the injected script runs in their browser context, potentially stealing session cookies or performing other malicious actions.
The vulnerability was fixed in version 0.54.1 by enforcing strict UUID validation in route parameters, improving error response handling with proper content types and localization, and adding authentication requirements to relevant routes.
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts including:
- Theft of session cookies via JavaScript execution, potentially allowing attackers to hijack user sessions.
- Potential account takeover if session cookies are not protected with the HttpOnly flag.
- Phishing attacks where attackers send crafted URLs that appear to come from trusted changedetection.io instances.
- Because the RSS access token is exposed without authentication, attackers can more easily exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the RSS single-watch endpoint of changedetection.io for reflected Cross-Site Scripting (XSS) by injecting malicious JavaScript payloads into the UUID path parameter and observing if the payload is reflected unescaped in the HTTP response.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a crafted HTTP GET request with a malicious UUID parameter containing JavaScript code, for example:'}, {'type': 'list_item', 'content': 'curl -i "http://<target-host>/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=<RSS_ACCESS_TOKEN>"'}, {'type': 'paragraph', 'content': 'If the response body contains the injected script unescaped (e.g., the <img> tag appears in the response), this indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Note that the RSS access token is required for the request, which can be extracted from the homepage HTML tag without authentication.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade changedetection.io to version 0.54.1 or later, where the vulnerability has been fixed.
The fix includes strict UUID validation in URL parameters, improved error response handling with proper content types and localization, and authentication enforcement on relevant routes to prevent unauthorized exploitation.
Until upgrading, restrict access to the RSS single-watch endpoint and consider invalidating or rotating the RSS access tokens to reduce the risk of exploitation.