Skip to main content

Flask CVE-2026-29038

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-06 security-advisories@github.com GHSA-8whx-v8qq-pq64
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
PoC Detected
Mar 10, 2026 - 19:38 vuln.today
Public exploit code
Patch released
Mar 10, 2026 - 19:38 nvd
Patch available
CVE Published
Mar 06, 2026 - 07:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.

AnalysisAI

Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Changedetection. changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 0.54.4.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More in Flask

View all
CVE-2026-27641 CRITICAL POC
9.8 Feb 25

Path traversal and extension bypass in Flask-Reuploaded file upload library. Allows uploading files with arbitrary exten

CVE-2026-27645 MEDIUM POC
6.1 Feb 25

changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, w

CVE-2026-25527 MEDIUM POC
5.3 Feb 19

Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application d

CVE-2023-30861 HIGH
7.5 May 02

Flask is a lightweight WSGI web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely ex

CVE-2019-1010083 HIGH
7.5 Jul 17

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. Rated high severity (CVSS 7.5), this vulne

CVE-2018-1000656 HIGH
7.5 Aug 20

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that

CVE-2026-28352 MEDIUM
6.5 Feb 27

Missing authentication checks on Indico's event series management API endpoint allows unauthenticated attackers to view

CVE-2026-1827 MEDIUM
6.4 Feb 11

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerabil

CVE-2026-25739 MEDIUM
5.4 Feb 19

Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through ma

CVE-2026-25738 MEDIUM
4.3 Feb 19

Indico versions before 3.3.10 allow authenticated event organizers to conduct server-side request forgery attacks by pro

CVE-2026-27205 MEDIUM
4.3 Feb 21

Flask versions 3.1.2 and earlier fail to set proper cache headers when the session object is accessed through certain me

Share

CVE-2026-29038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy