CVE-2026-27645 Overview
CVE-2026-27645 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting changedetection.io, a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without proper HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript code, enabling attackers to execute arbitrary scripts in the context of a victim's session.
Critical Impact
Attackers can inject malicious JavaScript through the UUID parameter, potentially stealing session cookies, performing actions on behalf of authenticated users, or redirecting victims to malicious sites.
Affected Products
- webtechnologies changedetection (versions prior to 0.54.1)
- changedetection.io web application deployments
- Self-hosted changedetection.io instances
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27645 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27645
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the RSS single-watch endpoint where user-controlled input (the UUID path parameter) is directly reflected in HTTP responses without sanitization.
Flask's default behavior of returning responses with Content-Type: text/html compounds this issue. When a malicious UUID containing JavaScript code is submitted, the browser interprets the response as HTML and executes embedded scripts. This allows attackers to craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in their browser context.
The network-accessible attack vector requires user interaction (clicking a malicious link), but enables cross-site impact where the attacker can affect resources beyond the vulnerable application's scope.
Root Cause
The root cause stems from insufficient input validation on the UUID path parameter in the API endpoints. The application accepted arbitrary string input for UUID parameters using <string:uuid> route converters instead of properly typed UUID converters. This allowed attackers to inject HTML/JavaScript content that would be reflected in error responses without proper escaping.
Attack Vector
The attack leverages the network-accessible RSS endpoint where an attacker crafts a URL containing malicious JavaScript in place of a valid UUID. When a victim clicks this link, the Flask application reflects the malicious input in the response body. Since the response is served with text/html content type, the victim's browser parses and executes the injected script. This enables cookie theft, session hijacking, phishing attacks, or other malicious actions within the user's authenticated session.
# Security patch in changedetectionio/api/Tags.py
# Source: https://github.com/dgtlmoon/changedetection.io/commit/a385c89abf44b52fcfa20c7c6a6dd3047c4c1eb5
self.update_q = kwargs['update_q']
# Get information about a single tag
- # curl http://localhost:5000/api/v1/tag/<string:uuid>
+ # curl http://localhost:5000/api/v1/tag/<uuid_str:uuid>
@auth.check_token
@validate_openapi_request('getTag')
def get(self, uuid):
The patch changes the route parameter type from <string:uuid> to <uuid_str:uuid>, ensuring only properly formatted UUID strings are accepted, effectively blocking injection of arbitrary content.
Detection Methods for CVE-2026-27645
Indicators of Compromise
- Unusual URL patterns in web server logs containing HTML or JavaScript in UUID parameters
- Access logs showing requests to /api/v1/watch/ or /api/v1/tag/ endpoints with encoded script tags
- Error responses containing reflected user input with script elements
Detection Strategies
- Monitor web application firewall (WAF) logs for XSS patterns in API requests to changedetection.io endpoints
- Implement content security policy (CSP) violation reporting to detect script injection attempts
- Review HTTP access logs for anomalous UUID parameter values containing special characters like <, >, or script
Monitoring Recommendations
- Enable verbose logging on the changedetection.io application to capture request parameters
- Configure intrusion detection systems (IDS) to alert on reflected XSS patterns in HTTP responses
- Implement browser-side CSP headers to mitigate script execution even if injection occurs
How to Mitigate CVE-2026-27645
Immediate Actions Required
- Upgrade changedetection.io to version 0.54.1 or later immediately
- Review application logs for evidence of exploitation attempts
- Implement Web Application Firewall (WAF) rules to block XSS patterns in URL parameters
- Consider implementing Content Security Policy (CSP) headers as defense-in-depth
Patch Information
The vulnerability has been addressed in changedetection.io version 0.54.1. The fix implements proper UUID type validation using a custom uuid_str converter that rejects malformed input before it can be reflected in responses. For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory GHSA-mw8m-398g-h89w.
Workarounds
- Deploy a reverse proxy or WAF with XSS filtering rules in front of the application
- Restrict network access to the changedetection.io instance to trusted users only
- Implement CSP headers at the web server level to prevent inline script execution
# Example nginx configuration for CSP headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
