Home / Vulnerability Intelligence / CVE-2026-27696

CVE-2026-27696 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: February 26, 2026

changedetection.io - Server-Side Request Forgery

Published: February 25, 2026Updated: February 26, 2026PoC AvailableRemote Exploitable

Overview

changedetection.io < 0.54.1 contains a server-side request forgery caused by improper URL validation in is_safe_valid_url(), letting authenticated or unauthenticated users fetch internal network URLs and exfiltrate data, exploit requires authentication or no password configured.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can exfiltrate data from internal network services by making the server fetch internal URLs.

Mitigation

Upgrade to version 0.54.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🟠 CVE-2026-27696 - High (8.6) changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validat... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27696/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27696
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: confirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days