CVE-2026-29038 is a reflected cross-site scripting (XSS) vulnerability identified in the open-source web page change detection tool changedetection.io, specifically in versions prior to 0.54.4. The vulnerability resides in the /rss/tag/ endpoint, where the tag_uuid path parameter is directly reflected in the HTTP response body without proper HTML escaping or sanitization. Because changedetection.io uses the Flask web framework, which by default returns responses with a content type of text/html for plain string responses, any malicious JavaScript code injected via the tag_uuid parameter is parsed and executed by the victim's browser. This allows an attacker to craft a malicious URL that, when visited by a user, executes arbitrary JavaScript in the context of the changedetection.io web application. Such execution can lead to theft of session tokens, manipulation of page content, or other malicious actions affecting the confidentiality and integrity of user data. The vulnerability does not impact availability and does not require authentication, but it does require user interaction (clicking a malicious link). The issue has been addressed and patched in version 0.54.4 by implementing proper input neutralization and escaping. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed due to the potential impact on user data beyond the vulnerable component.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected instances of changedetection.io. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Since changedetection.io is a web-based tool used for monitoring web page changes, compromised user sessions could lead to unauthorized access to monitored data or manipulation of monitoring results. Although availability is not affected, the trustworthiness of the application and user data integrity is at risk. Organizations relying on changedetection.io for critical monitoring tasks could face data leakage or manipulation risks. The vulnerability’s exploitation requires user interaction, which somewhat limits automated widespread exploitation but does not eliminate targeted phishing or social engineering attacks. Given that changedetection.io is open source and can be self-hosted, organizations running vulnerable versions in internal or external environments are at risk, especially if exposed to untrusted users or the internet.

The primary mitigation is to upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched by implementing proper HTML escaping of user-supplied input in the tag_uuid parameter. For organizations unable to immediately upgrade, applying web application firewall (WAF) rules to detect and block suspicious input patterns targeting the /rss/tag/ endpoint can reduce risk. Additionally, administrators should audit and sanitize all user inputs reflected in HTTP responses to prevent similar XSS issues. Employing Content Security Policy (CSP) headers can help mitigate the impact of any injected scripts by restricting script execution sources. Educating users about the risks of clicking untrusted links and implementing multi-factor authentication can reduce the impact of session hijacking attempts. Regular security assessments and code reviews focusing on input validation and output encoding are recommended to prevent future injection vulnerabilities.