Flask
CVE-2026-29038
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
AnalysisAI
Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Changedetection. changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 0.54.4.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary exten
changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, w
Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application d
Flask is a lightweight WSGI web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely ex
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. Rated high severity (CVSS 7.5), this vulne
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that
Missing authentication checks on Indico's event series management API endpoint allows unauthenticated attackers to view
The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerabil
Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through ma
Indico versions before 3.3.10 allow authenticated event organizers to conduct server-side request forgery attacks by pro
Flask versions 3.1.2 and earlier fail to set proper cache headers when the session object is accessed through certain me
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8whx-v8qq-pq64