CVE-2025-52558

| EUVD-2025-18945 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-23 [email protected] GHSA-hwpg-x5hw-vpv9
XSS
7.0
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18945
CVE Published
Jun 23, 2025 - 21:15 nvd
HIGH 7.0

DescriptionNVD

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS) vulnerability. This issue has been patched in version 0.50.4

AnalysisAI

CVE-2025-52558 is a reflected/stored cross-site scripting (XSS) vulnerability in changedetection.io prior to version 0.50.4, where error messages from website change detection filters are not properly sanitized before display. Attackers can inject malicious JavaScript through crafted filter configurations or monitored web pages, potentially compromising user sessions and data. The vulnerability requires user interaction (clicking a link/visiting a page) and affects all users of the open-source change detection service, though no CISA KEV listing or widespread active exploitation is currently documented.

Technical ContextAI

changedetection.io is a Python-based web monitoring application that watches for changes in web pages and notifies users of modifications. The vulnerability exists in the filter processing pipeline (CWE-79: Improper Neutralization of Input During Web Page Generation), where error outputs from content filters are rendered directly into HTML responses without proper encoding or sanitization. The affected technology involves the watch/notification system's error handling mechanism—when filters fail or generate errors, these error messages are echoed back to the user interface without HTML entity encoding or Content Security Policy (CSP) protection. This is a classic output encoding failure where user-controllable or attacker-influenced data (filter configurations, monitored page content) flows into the error response without sanitization.

RemediationAI

  • action: Immediate patch upgrade; details: Upgrade changedetection.io to version 0.50.4 or later. Users should pull the latest Docker image tag or update from the GitHub repository (https://github.com/dgtlmoon/changedetection.io/releases/tag/0.50.4).
  • action: Version verification; details: Verify installed version via Settings > About or pip show changedetection.io. Confirm version >= 0.50.4 post-patch.
  • action: Temporary mitigation (if patching delayed); details: Restrict watch filter configurations to trusted input only; do not import or use filters from untrusted sources. Avoid monitoring untrusted or adversarial web pages whose content could be injected into error messages.
  • action: Web application firewall (WAF) rules; details: If running changedetection.io behind a reverse proxy/WAF, implement rules to detect and block common XSS payloads (e.g., <script>, onerror=, javascript:) in filter parameters and error response inspection.
  • action: Content Security Policy (CSP); details: Implement strict CSP headers (e.g., default-src 'self'; script-src 'self') at the reverse proxy or application level to mitigate reflected XSS impact even if sanitization is bypassed.

Share

CVE-2025-52558 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy