Summary
Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version (0.53.6) it was additionally validated at scale against 500 internet-facing instances discovered via FOFA search engine, producing 5K+ confirmed detections using a custom Nuclei template, demonstrating widespread real-world impact.
The RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript.
Details
File: changedetectionio/blueprint/rss/single_watch.py (lines ~45 and ~50)
The UUID parameter from the URL path is interpolated into the response body using an f-string with no escaping:
Line ~45
watch = datastore.data['watching'].get(uuid)
if not watch:
return f"Watch with UUID {uuid} not found", 404 # ← No escaping, Content-Type: text/html
Line ~50
if len(dates) < 2:
return f"Watch {uuid} does not have enough history snapshots...", 400 # ← Same issue
Flask's default Content-Type for plain string responses is text/html; charset=utf-8, so any HTML/JavaScript in {uuid} is rendered by the browser.
Attack Vector
The attack requires a valid RSS access token, which is a 32-character hex string exposed in the HTML tag on the homepage without authentication:
Attacker visits the target's homepage if it unauthenticathed and extracts the RSS token from the tag
Crafts a malicious URL:
- http://target:5000/rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=EXTRACTED_TOKEN
- Sends the link to a victim who has an active session on the changedetection.io instance
- When the victim clicks the link, the server responds with:
- Watch with UUID not found
The browser renders the tag, the onerror fires, and JavaScript executes in the victim's session context
PoC
Request:
GET /rss/watch/%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E?token=223e7edbbfee2268f5abb5344919054e HTTP/1.1
Host: [127.0.0.1:5000](http://127.0.0.1:5000/)
Response:
HTTP/1.1 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Watch with UUID not found
The XSS payload is reflected unescaped in an HTML response. The browser executes alert(document.cookie).
Lots of intances over internet affected to this.
Roberto Nunes
Impact
- Session cookie theft via document.cookie exfiltration
- Account takeover if session cookies lack HttpOnly flag
- Phishing via crafted links that appear to originate from a trusted changedetection.io instance
- Token is obtainable without authentication from the homepage tag, lowering the barrier to exploitation
changedetection.io can work with developer teams to validate and address these issues. Please confirm receipt of this report and inform changedetection.io of the preferred timeline for coordinating the fix.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-27645 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.53.7); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-27645? CVE-2026-27645 is a medium-severity cross-site scripting (XSS) vulnerability in changedetection.io (pip), affecting versions <= 0.53.6. It is fixed in 0.53.7. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-27645? CVE-2026-27645 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of changedetection.io are affected by CVE-2026-27645? changedetection.io (pip) versions <= 0.53.6 is affected.
- Is there a fix for CVE-2026-27645? Yes. CVE-2026-27645 is fixed in 0.53.7. Upgrade to this version or later.
- Is CVE-2026-27645 exploitable, and should I be worried? Whether CVE-2026-27645 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-27645 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-27645? Upgrade
changedetection.ioto 0.53.7 or later.