Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

changedetection.io: Malicious code execution via tag UUID

CVE-2026-29038 GHSA-8whx-v8qq-pq64 GHSA-8whx-v8qq-pq64
Summary

A security flaw in changedetection.io's RSS feed allows hackers to inject malicious code that can affect users who visit the feed. This issue has been fixed in version 0.54.4, so update to this version to protect your site.

What to do
  • Update changedetection.io to version 0.54.4.
  • Update dgtlmoon changedetection-io to version 0.54.4.
Affected software
VendorProductAffected versionsFix available
changedetection.io <= 0.54.4 0.54.4
dgtlmoon changedetection-io <= 0.54.4 0.54.4
webtechnologies changedetection <= 0.54.4
Original title
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint ...
Original description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
nvd CVSS3.1 6.1
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026