CVE-2026-27645

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.1

Description The application reflects the UUID path parameter directly in the HTTP response body without HTML escaping in the RSS single-watch endpoint. Because Flask defaults to returning text/html for plain string responses, the browser parses and executes injected JavaScript. This could allow for potential cross-site scripting (XSS) attacks.

Recommendations Update to version 0.54.1 or later.