Plattform
python
Komponente
changedetection-io
Behoben in
0.54.5
0.54.4
CVE-2026-29039 describes an Arbitrary File Access vulnerability within the changedetection-io application. This flaw allows attackers to read arbitrary files accessible to the application process by exploiting the unparsed-text() function within XPath expressions. The vulnerability impacts versions of changedetection-io up to 0.54.3, and a patch is available in version 0.54.4.
The primary impact of CVE-2026-29039 is the potential for unauthorized file access. An attacker can craft malicious XPath expressions, specifically utilizing the unparsed-text() function, to read any file that the changedetection-io process has permissions to access. This could include sensitive configuration files, database credentials, or even source code. The blast radius is limited to the files accessible by the application's user account, but the potential for data exfiltration and subsequent compromise remains significant. This vulnerability shares similarities with other XPath injection vulnerabilities where improper sanitization of user-supplied input leads to unintended file system access.
CVE-2026-29039 was publicly disclosed on 2026-03-04. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation (EPSS score pending evaluation). No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability is relatively straightforward to exploit given the availability of XPath injection techniques. It is not currently listed on the CISA KEV catalog.
Organizations deploying changedetection-io, particularly those using it to monitor websites with sensitive content, are at risk. Shared hosting environments where multiple users have access to the changedetection-io instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's configuration.
• python / server:
find / -name 'changedetection.io' -type d -print0 | xargs -0 grep -i 'unparsed-text()' • generic web:
curl -I http://your-changedetection-io-instance/ | grep -i 'include_filters'disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-29039 is to upgrade changedetection-io to version 0.54.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing potentially malicious XPath expressions, specifically those utilizing the unparsed-text() function. Additionally, restrict the permissions of the changedetection-io process to the absolute minimum required for its operation. Monitor application logs for unusual file access attempts. After upgrading, confirm the fix by attempting to access a sensitive file via the include_filters parameter; the request should be rejected.
Aktualisieren Sie changedetection.io auf Version 0.54.4 oder höher. Diese Version behebt die Schwachstelle, die das Lesen beliebiger Dateien über die Funktion unparsed-text() in XPath-Ausdrücken ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29039 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a changedetection-io server through crafted XPath expressions. It affects versions up to 0.54.3.
You are affected if you are running changedetection-io version 0.54.3 or earlier. Check your version and upgrade immediately.
Upgrade to version 0.54.4 or later. As a temporary workaround, restrict XPath expression usage and validate user input.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the changedetection-io project's release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.