CVE-2025-52558: 
Python vulnerability analysis and mitigation

changedetection.io, a free open source web page change detection and website monitoring service, was found to contain a cross-site scripting (XSS) vulnerability prior to version 0.50.4. The vulnerability was identified and tracked as CVE-2025-52558, with a CVSS v4.0 score of 7.0 (High). The issue was discovered in June 2025 and affected all versions up to and including 0.50.3 (GitHub Advisory).

The vulnerability stemmed from improper filtering of error texts generated by website page change detection watches. The issue specifically occurred in the watch overview functionality where error messages were not being properly sanitized before being displayed to users. The vulnerability received a CVSS v4.0 base score of 7.0 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N, indicating it was exploitable over the network with low attack complexity but requiring user interaction (NVD).

The vulnerability could allow attackers to execute cross-site scripting (XSS) attacks through specially crafted error messages. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks. The CVSS metrics indicate low impact on confidentiality, no impact on integrity, but high impact on availability of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 0.50.4 of changedetection.io. Users are advised to upgrade to this version or later to address the security issue. The fix involves proper implementation of error message filtering and sanitization (GitHub Commit).