CVE-2026-29038 is a reflected cross-site scripting (XSS) vulnerability identified in the open-source web page change detection tool changedetection.io, specifically affecting versions prior to 0.54.4. The vulnerability exists in the /rss/tag/ endpoint where the tag_uuid path parameter is directly reflected in the HTTP response body without proper HTML escaping or sanitization. Because the underlying Flask framework returns content with a default MIME type of text/html for plain string responses, any injected JavaScript code within the tag_uuid parameter is executed by the victim’s browser upon visiting the crafted URL. This improper neutralization of input during web page generation (classified under CWE-79) allows attackers to execute arbitrary scripts in the context of the victim’s browser session. Such scripts can be used to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. Exploitation requires no authentication but does require user interaction, such as clicking a malicious link. The vulnerability affects confidentiality and integrity but does not impact availability. The issue was publicly disclosed on March 6, 2026, and has been patched in version 0.54.4 of changedetection.io. No known exploits have been reported in the wild to date. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed due to impact on user data. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially when using frameworks that default to text/html content types.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected changedetection.io instances. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. Although availability is not affected, the breach of confidentiality and integrity could undermine trust in the service and expose users to further attacks such as phishing or malware delivery. Organizations running vulnerable versions of changedetection.io may face risks of data leakage or compromise of user accounts, especially if the tool is used in environments with sensitive monitoring or alerting functions. Since exploitation requires user interaction, the threat is somewhat limited to targeted phishing or social engineering campaigns. However, the reflected nature of the XSS means attackers can craft URLs that, when clicked, trigger the malicious payload. The medium CVSS score reflects these factors, indicating a moderate but actionable risk. The absence of known exploits in the wild reduces immediate urgency but does not eliminate the threat, as attackers could develop exploits at any time. Overall, the vulnerability could be leveraged to undermine user trust and compromise sensitive information in affected deployments worldwide.

To mitigate this vulnerability, organizations should immediately upgrade changedetection.io to version 0.54.4 or later, where the reflected XSS issue has been patched. If upgrading is not immediately feasible, implement strict input validation and output encoding on the tag_uuid parameter to ensure that any user-supplied input is properly escaped before being included in HTML responses. Consider configuring Flask to return safer content types or explicitly set response headers to prevent browsers from interpreting responses as HTML when not intended. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. Additionally, educate users to be cautious about clicking on suspicious or unexpected URLs, especially those containing unusual parameters. Regularly audit web application endpoints for similar injection flaws and adopt secure coding practices that include sanitizing all user inputs and using templating engines that automatically escape output. Monitoring logs for unusual access patterns to the /rss/tag/ endpoint can help detect attempted exploitation. Finally, maintain an up-to-date inventory of software components and apply security patches promptly to reduce exposure to known vulnerabilities.