CVE-2026-35490CRITICAL 9.8EPSS p40.9%

CVE-2026-35490CVE-2026-35490

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.54% probability of exploitation · percentile 40.9% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-14

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4
  2. https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34531
CVE
CVE-2025-25268
CVE
CVE-2025-70983
CVE
CVE-2026-41394
CVE
CVE-2025-43931
CVE
CVE-2025-26961
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.