Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29038 is a reflected cross-site scripting (XSS) vulnerability in the changedetection.io application, specifically in the /rss/tag/ endpoint. The vulnerability arises because the tag_uuid path parameter is directly reflected in the HTTP response body without proper HTML escaping. Since Flask returns text/html by default for plain string responses, any malicious JavaScript injected via the tag_uuid parameter is executed by the victim's browser."}, {'type': 'paragraph', 'content': 'This happens because the application interpolates the tag_uuid parameter into the response using an unescaped Python f-string, allowing attackers to craft URLs that inject JavaScript code. When a victim with an active session accesses such a URL, the injected script runs in their browser context.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by enforcing stricter validation on the tag_uuid parameter, changing its type from a generic string to a UUID string, which only accepts properly formatted UUIDs, thereby preventing malicious script injection.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to several security impacts if exploited. An attacker can execute arbitrary JavaScript in the context of a victim's browser session when the victim accesses a maliciously crafted URL."}, {'type': 'list_item', 'content': 'The attacker can steal session cookies via document.cookie, potentially leading to account takeover if cookies are not protected with HttpOnly flags.'}, {'type': 'list_item', 'content': 'It can facilitate phishing attacks by leveraging trusted changedetection.io URLs to trick users into executing malicious scripts.'}, {'type': 'list_item', 'content': 'The vulnerability has a moderate severity with a CVSS 3.1 base score of 6.1, indicating it is exploitable over the network with low complexity and no privileges required, but user interaction is needed.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /rss/tag/ endpoint of changedetection.io for reflected cross-site scripting (XSS) by injecting JavaScript payloads into the tag_uuid path parameter and observing if the payload is reflected unescaped in the HTTP response body.'}, {'type': 'paragraph', 'content': 'A practical approach is to send crafted GET requests with malicious input in the tag_uuid parameter, for example using curl or similar HTTP clients.'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/rss/tag/%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E?token=<valid_token>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected <img> tag unescaped and triggers JavaScript execution (e.g., an alert), the vulnerability is present.'}, {'type': 'paragraph', 'content': "Note that a valid RSS access token is required to perform this test, which can be extracted from the homepage's <link> HTML tag."}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating changedetection.io to version 0.54.4 or later, where the vulnerability has been patched by enforcing UUID validation on the tag_uuid parameter.

If updating is not immediately possible, temporary mitigations include:

• Modify the application code to HTML escape the tag_uuid parameter before reflecting it in the response, for example using markupsafe.escape.
• Change the Content-Type header of the response to text/plain to prevent browsers from interpreting injected HTML or JavaScript.

Additionally, restrict access to the RSS token and monitor for suspicious requests targeting the /rss/tag/ endpoint.

Useful 0 Not Useful 0