Plattform
python
Komponente
changedetection-io
Behoben in
0.54.5
0.54.4
CVE-2026-29065 describes a Zip Slip vulnerability affecting changedetection-io versions up to 0.54.3. This flaw allows attackers to overwrite arbitrary files on the system during the backup restore process by crafting malicious ZIP archives with path traversal sequences. The vulnerability stems from insufficient validation of file paths during extraction. A patch is available in version 0.54.4.
The Zip Slip vulnerability in changedetection-io poses a significant risk because it allows for arbitrary file overwrites. An attacker could upload a specially crafted ZIP archive containing path traversal sequences (e.g., ../) to escape the intended extraction directory. This could lead to the modification or deletion of critical system files, configuration files, or even application code. Successful exploitation could result in complete system compromise, data loss, or denial of service. The impact is amplified if the application runs with elevated privileges, allowing the attacker to overwrite files in protected areas of the filesystem. This vulnerability shares similarities with other Zip Slip vulnerabilities where inadequate path validation during ZIP archive extraction leads to unintended file modifications.
CVE-2026-29065 was publicly disclosed on 2026-03-04. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Systems running changedetection-io versions prior to 0.54.4 are at risk. This includes users who have not applied security updates and those who rely on the backup and restore functionality for data protection. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromised user could potentially exploit this vulnerability to affect other users.
• python / server:
find / -name 'changedetection-io' -type d -exec grep -i 'zipfile.ZipFile' {}/ -H 2>/dev/null | grep -i 'extractall' • generic web:
curl -I <changedetection-io_url>/restore_backup.php # Check for endpoint exposuredisclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-29065 is to upgrade changedetection-io to version 0.54.4 or later, which includes the necessary path validation fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to restrict the types of files that can be uploaded and stored as backups. Another is to implement strict file permissions on the backup directory to limit the impact of a potential file overwrite. Additionally, monitor the application's logs for any suspicious file access or modification attempts. After upgrading, verify the fix by attempting a backup restore with a ZIP archive containing path traversal sequences to ensure that the files are not overwritten.
Actualice changedetection.io a la versión 0.54.4 o superior. Esta versión corrige la vulnerabilidad Zip Slip que permite la sobreescritura arbitraria de archivos durante la restauración de copias de seguridad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29065 is a high-severity vulnerability in changedetection-io versions up to 0.54.3 that allows attackers to overwrite files via path traversal in uploaded ZIP archives during backup restore.
You are affected if you are running changedetection-io versions prior to 0.54.4. Check your version and upgrade immediately if vulnerable.
Upgrade changedetection-io to version 0.54.4 or later to patch the vulnerability. Restrict access to the restore functionality as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is easily exploitable and should be patched promptly.
Refer to the changedetection-io project's official release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.