CVE-2026-29038: changedetection.io has Reflected XSS in its RSS Tag Error Response
(updated )
A reflected cross-site scripting (XSS) vulnerability was identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript.
This vulnerability persists in version 0.54.1, which patched the related XSS in /rss/watch/ (CVE-2026-27645 / GHSA-mw8m-398g-h89w) but did not address the identical pattern in the tag RSS endpoint.
References
- github.com/advisories/GHSA-8whx-v8qq-pq64
- github.com/dgtlmoon/changedetection.io
- github.com/dgtlmoon/changedetection.io/commit/ec7d56f85d1e9690fca7cb4711c1fb20dffec780
- github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8whx-v8qq-pq64
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-mw8m-398g-h89w
- nvd.nist.gov/vuln/detail/CVE-2026-29038
Code Behaviors & Features
Detect and mitigate CVE-2026-29038 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →