CVE-2026-29038 MEDIUM

CVE-2026-29038: changedetection.io: Reflected XSS in RSS Tag Error Response

Vendor Dgtlmoon
Product changedetection.io
Weakness CWE-79 · XSS
Published March 6, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-10246 lokibhardwaj PHP-Code-For-Unlimited-File-Upload f.php cross site scripting CVE-2024-13591 Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2026-42658 WordPress Classified Listing plugin <= 5.3.8 - Cross Site Scripting (XSS) vulnerability CVE-2022-35698 Adobe Commerce Stored XSS Arbitrary code execution CVE-2025-62911 WordPress Rock Convert plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability