CVE-2026-27645 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting changedetection.io, an open-source web page change detection tool. The vulnerability exists in versions prior to 0.54.1 within the RSS single-watch endpoint, which accepts a UUID as a path parameter. This parameter is reflected directly in the HTTP response body without any HTML escaping or sanitization. Since the underlying Flask framework returns a content type of text/html for plain string responses by default, any malicious JavaScript code injected into the UUID parameter is interpreted and executed by the victim's browser. This improper neutralization of input during web page generation allows attackers to execute arbitrary scripts in the context of the victim's browser session. Exploitation requires the victim to interact with a crafted URL containing the malicious payload. The vulnerability affects confidentiality and integrity by potentially allowing theft of sensitive information or manipulation of client-side data but does not impact availability. The flaw was addressed in version 0.54.1 by implementing proper input sanitization and escaping. No known exploits are currently reported in the wild. The vulnerability has a CVSS v3.1 base score of 6.1, indicating medium severity, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and scope changed due to impact on client-side execution.

The primary impact of CVE-2026-27645 is on the confidentiality and integrity of users interacting with the vulnerable changedetection.io instance. An attacker can craft malicious URLs that, when visited by a user, execute arbitrary JavaScript in the victim's browser context. This can lead to theft of sensitive information such as session tokens, cookies, or other data accessible via the browser, and manipulation of client-side content or behavior. While the vulnerability does not affect the availability of the service, the compromise of user data or session integrity can lead to further attacks such as account takeover or unauthorized actions. Organizations relying on changedetection.io for monitoring web content changes may inadvertently expose their users or administrators to these risks if running vulnerable versions. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to lure victims to malicious URLs. The scope of affected systems is limited to installations of changedetection.io versions prior to 0.54.1, but given the open-source nature and potential deployment in diverse environments, the impact can be widespread if not mitigated.

1. Upgrade changedetection.io to version 0.54.1 or later, where the vulnerability has been fixed by proper HTML escaping of the UUID parameter. 2. If immediate upgrade is not possible, implement web application firewall (WAF) rules to detect and block suspicious input patterns in the UUID path parameter, especially those containing script tags or JavaScript event handlers. 3. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce the impact of potential XSS attacks. 4. Educate users and administrators about the risks of clicking on untrusted URLs, especially those containing unusual parameters. 5. Review and sanitize all user-controllable inputs in custom deployments or integrations of changedetection.io to ensure no unescaped data is reflected in HTML responses. 6. Monitor logs for unusual access patterns to the RSS single-watch endpoint that may indicate attempted exploitation. 7. Conduct regular security assessments and code reviews focusing on input validation and output encoding in web applications.