CVE-2026-29038

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.4

Description The software contains a reflected cross-site scripting (XSS) issue in the /rss/tag/ endpoint. The tag uuid path parameter is directly included in the HTTP response without proper HTML escaping. Because Flask defaults to text/html for string responses, injected JavaScript is executed by the browser. The issue was present in version 0.54.1, which addressed a similar XSS in /rss/watch/ but did not resolve the problem in the tag RSS endpoint. The attack requires a valid RSS access token, which is publicly available on the homepage. Successful exploitation could lead to session cookie theft, account takeover, and phishing attacks. Approximately 500 publicly accessible deployments are estimated to be affected. The vulnerable code is located in changedetectionio/blueprint/rss/tag.py at line 36. The vulnerable parameter is tag uuid.

Recommendations Versions prior to 0.54.4: Escape the tag uuid parameter before including it in the response, or set the Content-Type to text/plain.