CVE-2026-29038 Overview
CVE-2026-29038 is a reflected cross-site scripting (XSS) vulnerability discovered in changedetection.io, a free open source web page change detection tool. The vulnerability exists in the /rss/tag/ endpoint where the tag_uuid path parameter is reflected directly in the HTTP response body without proper HTML escaping. Because Flask returns text/html by default for plain string responses, browsers parse and execute any injected JavaScript code, allowing attackers to perform XSS attacks against users who click on maliciously crafted links.
Critical Impact
Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in the context of the changedetection.io application, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the victim.
Affected Products
- webtechnologies changedetection (versions prior to 0.54.4)
Discovery Timeline
- 2026-03-06 - CVE-2026-29038 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29038
Vulnerability Analysis
This reflected XSS vulnerability occurs due to improper input validation in the RSS tag endpoint of changedetection.io. When a user accesses the /rss/tag/<tag_uuid> route, the application reflects the tag_uuid parameter directly into the HTTP response without sanitizing or escaping HTML entities. The Flask framework, by default, returns responses with a Content-Type of text/html for plain string responses, which causes browsers to interpret and execute any embedded JavaScript code.
The vulnerability allows an attacker to construct a URL containing malicious JavaScript in the tag_uuid parameter. When a victim clicks on this crafted URL, the malicious script executes within the victim's browser session, potentially enabling session hijacking, phishing attacks, or unauthorized actions performed on behalf of the user.
Root Cause
The root cause is the lack of input validation and output encoding for the tag_uuid path parameter in the RSS tag endpoint. The application accepts arbitrary string input without type validation and reflects it in error responses without HTML escaping. Flask's default behavior of serving plain string responses as text/html exacerbates this issue by enabling browser-side script execution.
Attack Vector
An attacker exploits this vulnerability by crafting a malicious URL targeting the /rss/tag/ endpoint with JavaScript code embedded in the tag_uuid parameter. The attack is network-based and requires user interaction—specifically, the victim must click on the malicious link. When the victim accesses the crafted URL, the server reflects the malicious payload in the response, and the browser executes the JavaScript in the context of the application's origin.
The patch addresses this by changing the route parameter type from string:tag_uuid to uuid_str:tag_uuid, which enforces proper UUID format validation:
datastore: The ChangeDetectionStore instance
"""
- @rss_blueprint.route("/tag/<string:tag_uuid>", methods=['GET'])
+ @rss_blueprint.route("/tag/<uuid_str:tag_uuid>", methods=['GET'])
def rss_tag_feed(tag_uuid):
from flask import make_response, request, url_for
Source: GitHub Commit
Detection Methods for CVE-2026-29038
Indicators of Compromise
- Suspicious HTTP requests to /rss/tag/ endpoints containing HTML or JavaScript syntax in the URL path
- Web server logs showing URL-encoded script tags (%3Cscript%3E) or event handlers in tag_uuid parameter
- Unusual referrer headers pointing to external sites with malicious URL patterns
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS payloads in URL paths
- Configure intrusion detection systems (IDS) to alert on requests containing <script>, javascript:, or event handler patterns in URL parameters
- Monitor application logs for requests to /rss/tag/ endpoints with non-UUID format values
Monitoring Recommendations
- Enable verbose logging for the RSS blueprint endpoints to capture all incoming tag_uuid values
- Set up alerting for HTTP 500 errors or unusual response sizes from the /rss/tag/ endpoint
- Implement real-time log analysis to detect potential XSS exploitation attempts
How to Mitigate CVE-2026-29038
Immediate Actions Required
- Upgrade changedetection.io to version 0.54.4 or later immediately
- Review web server logs for any signs of exploitation attempts targeting the /rss/tag/ endpoint
- Inform users about potential phishing attempts involving malicious links to the changedetection.io application
Patch Information
The vulnerability has been addressed in changedetection.io version 0.54.4. The fix implements proper input validation by changing the route parameter type from string:tag_uuid to uuid_str:tag_uuid, ensuring only valid UUID strings are accepted. Users should upgrade to version 0.54.4 or later by following the official release notes. Additional details are available in the GitHub Security Advisory GHSA-8whx-v8qq-pq64.
Workarounds
- Implement a reverse proxy or WAF rule to validate that tag_uuid parameters conform to UUID format before reaching the application
- Restrict access to the RSS endpoints to trusted networks or authenticated users only
- Deploy Content Security Policy (CSP) headers to mitigate the impact of any XSS attacks
# Example nginx configuration to block non-UUID values in tag_uuid
location ~ ^/rss/tag/(.+)$ {
# Only allow valid UUID format (8-4-4-4-12 hex characters)
if ($1 !~ "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") {
return 400;
}
proxy_pass http://changedetection_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
