CVE-2026-27696

HIGH 8.6

changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.

CWE	CWE-918
Vendor	dgtlmoon
Product	changedetection.io
Published	Feb 25, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for dgtlmoon changedetection.io

Be the first to know when new high vulnerabilities affecting dgtlmoon changedetection.io are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

dgtlmoon / changedetection.io

< 0.54.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-3c45-4pj5-ch7m github.com: https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b