CVEFinder.io

CVE-2026-35490

⛔ critical
🔍 Scan for this CVE
Summary

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerabilit

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

CVSS Score
9.8
Critical
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-07
First Seen: 2026-04-08
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.4% of all 321,566 vulnerabilities in our database.

#30,777
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 9, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-04-14
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-863

📦 Affected Products 1

Vendor Product Status Affected Versions
webtechnologies changedetection Affected
< 0.54.8

🔗 References 1

https://github.com/dgtlmoon/changedetection.io/secur...
Exploit Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-43891 ⚠️ high 7.5 0.0 changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by... 2026-05-12
CVE-2026-35000 🔶 medium 6.5 0.1 ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementa... 2026-04-01
CVE-2026-33981 🔶 medium 6.5 0.0 changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include... 2026-03-27
CVE-2026-29038 🔶 medium 6.1 0.0 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected c... 2026-03-06
CVE-2026-29039 ⚠️ high 7.5 0.0 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io... 2026-03-06
CVE-2026-29065 ⛔ critical 9.1 0.1 changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerabili... 2026-03-06
These CVEs affect the same products