PyPI: changedetection-io

CVE-2025-62780

Safety vulnerability ID: SFTY-20251112-49922

Safety legacy ID: pyup.io-81578

Affected versions of the changedetection.io package are vulnerable to Cross-site Scripting (XSS) due to missing URL safety validation in the Watch update API. In the browser interface, changedetection.io calls the validate_url(test_url) helper, which ultimately uses the model.Watch.is_safe_url check to block unsafe schemes such as javascript:, but the Watch update API endpoint (for example, PUT /api/v1/watch/{id}) accepts attacker-controlled URL fields without invoking this validation, allowing storage of script-based URLs in Watch data.

PythonPyPINVDNVDGitHubGHSA
Created at: Jun 5, 2026Updated at: Jun 5, 2026

Overview

changedetection.io: Stored XSS in Watch update via API

Advisory

Affected versions of the changedetection.io package are vulnerable to Cross-site Scripting (XSS) due to missing URL safety validation in the Watch update API. In the browser interface, changedetection.io calls the validate_url(test_url) helper, which ultimately uses the model.Watch.is_safe_url check to block unsafe schemes such as javascript:, but the Watch update API endpoint (for example, PUT /api/v1/watch/{id}) accepts attacker-controlled URL fields without invoking this validation, allowing storage of script-based URLs in Watch data.

Affected Package

Affecting changedetection-io package, versions
<0.50.34

Also affects

---

How to Fix

Upgrade
changedetection-io
to
0.50.34
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more