CVE-2026-27696

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.1

Description changedetection.io is a web page change detection tool susceptible to Server-Side Request Forgery (SSRF). The is safe valid url() function does not properly validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user, or any user when no password is configured, can add a watch for internal network URLs. The application then fetches these URLs server-side, stores the content, and makes it accessible through the web interface, potentially allowing full data exfiltration from internal services.

Recommendations Update to version 0.54.1 or later to address this vulnerability.