changedetection.io

v0.55.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d Alerting & Incidents

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

back-in-stock change-alert change-detection change-monitoring monitoring notifications

+14 more

restock-monitor rss self-hosted url-monitor web-scraping website-change-detection website-change-detector website-change-monitor website-change-notification website-change-tracker website-defacement-monitoring website-monitor website-monitoring website-watcher

Affected surfaces

rce_ssrf rbac

Summary

AI summary

Fixing GHSA-vwgh-2hvh-4xm5 — substring match vulnerability and watch.link API change to string.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Watch GET history snapshot now returns text/plain mimetype to prevent accidental execution Watch GET history snapshot now returns text/plain mimetype to prevent accidental execution Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Security	Medium	SSRF guard added for LLM `api_base` setting in UI SSRF guard added for LLM `api_base` setting in UI Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature
Feature	Medium	Added self-hosted OpenAI-compatible endpoint support (vLLM, LM Studio, llama.cpp) Added self-hosted OpenAI-compatible endpoint support (vLLM, LM Studio, llama.cpp) Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	UI tweaks for LiteLLM configuration in LLM integration UI tweaks for LiteLLM configuration in LLM integration Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Make LLM status sticky in UI Make LLM status sticky in UI Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Added restock config to API /v1/watch/ JSON output Added restock config to API /v1/watch/ JSON output Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Notifications include extra check for system default Notifications include extra check for system default Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	Added support for watch API private/internal variables Added support for watch API private/internal variables Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	i18n: Added dennis .pot/.po lint support i18n: Added dennis .pot/.po lint support Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Text filters process subtractive_selectors first Text filters process subtractive_selectors first Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Czech l12n catalog sync fixed Czech l12n catalog sync fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix
Bugfix	Medium	Notifications now escape only diff variables before Jinja2 rendering Notifications now escape only diff variables before Jinja2 rendering Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Watch.link enforced as string, not tuple Watch.link enforced as string, not tuple Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fixed GHSA-vwgh-2hvh-4xm5 substring match issue in shared_diff_access Fixed GHSA-vwgh-2hvh-4xm5 substring match issue in shared_diff_access Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix	Medium	Fixed broken HTML tags and enforced dennis lint warnings in CI for i18n Fixed broken HTML tags and enforced dennis lint warnings in CI for i18n Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix	Medium	Ignore text runs before 'extract text' in Text Filters Ignore text runs before 'extract text' in Text Filters Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Bugfix	Medium	LLM ollama and related tweaks fixed LLM ollama and related tweaks fixed Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Refactor	Medium	Improved LiteLLM dependencies handling Improved LiteLLM dependencies handling Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Refactor	Medium	Docker changes: INSTALLED_MARKER kept in /datastore, package installs no longer persistent Docker changes: INSTALLED_MARKER kept in /datastore, package installs no longer persistent Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—

Full changelog

What's Changed

i18n: Ruff INT (flake8-gettext) by @skkzsh in https://github.com/dgtlmoon/changedetection.io/pull/4096
UI - AI/LLM - "Summary" button should set last viewed by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4095
Improve LiteLLM deps #4093 by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4102
i18n: Add dennis .pot/.po lint by @skkzsh in https://github.com/dgtlmoon/changedetection.io/pull/4097
API - watch.link was accidently a tuple, enforcing string by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4104
API - Add restock config to API /v1/watch/ json output #4099 by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4103
i18n: Enforce dennis lint warnings in CI by @skkzsh in https://github.com/dgtlmoon/changedetection.io/pull/4105
i18n: Clear pre-existing dennis warnings in messages.pot by @skkzsh in https://github.com/dgtlmoon/changedetection.io/pull/4112
i18n: Fix broken HTML tags and enforce dennis lint warnings in CI by @skkzsh in https://github.com/dgtlmoon/changedetection.io/pull/4116
Notifications - extra check for system default by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4122
Notifications - Escape only the diff variables before Jinja2 renders them into the template ( Stop breaking custom HTML for plaintext pages on HTML notifications) #4121 by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4123
Fixing GHSA-vwgh-2hvh-4xm5 — substring match in the shared_diff_access by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4130
Bumping tests by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4131
LLM - Self-hosted OpenAI-compatible endpoint support (vLLM, LM Studio, llama.cpp) — refs #3204 by @tekgnosis-net in https://github.com/dgtlmoon/changedetection.io/pull/4117
LLM integration - LiteLLM config - UI tweaks by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4134
UI - Make LLM status sticky by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4135
LLM - Fixing summary cache miss-hit by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4136
Text filters - Process subtractive_selectors first by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4142
API - Better support for watch API private/internal vars by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4144
Text filters - Ignore text should run before 'extract text' by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4143
Fix/pr 4110 czech l12n catalog sync by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4145
Docker - INSTALLED_MARKER is kept in /datastore but package installs are not persistent (Dont use custom marker file, rely on pip instead) by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4147
Fix/llm ollama etc tweaks by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4148
UI - LLM - SSRF guard for the LLM api_base setting by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4157
API Security - Watch GET history snapshot - Should return text/plain mimetype so it cant be accidently executed in the browser by @dgtlmoon in https://github.com/dgtlmoon/changedetection.io/pull/4158

New Contributors

@tekgnosis-net made their first contribution in https://github.com/dgtlmoon/changedetection.io/pull/4117

Full Changelog: https://github.com/dgtlmoon/changedetection.io/compare/0.55.3...0.55.4

Breaking Changes

API change: watch.link now enforces a string instead of allowing a tuple

Security Fixes

GHSA-vwgh-2hvh-4xm5 — fixed substring match vulnerability in shared_diff_access

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track changedetection.io

Get notified when new releases ship.

About changedetection.io

Best and simplest tool for website change detection, web page monitoring, and website change alerts. Perfect for tracking content changes, price drops, restock alerts, and website defacement monitoring—all for free or enjoy our SaaS plan!

All releases →