Platform
python
Component
changedetection-io
Fixed in
0.54.5
0.54.4
CVE-2026-29039 describes an Arbitrary File Access vulnerability within the changedetection-io application. This flaw allows attackers to read arbitrary files accessible to the application process by exploiting the unparsed-text() function within XPath expressions. The vulnerability impacts versions of changedetection-io up to 0.54.3, and a patch is available in version 0.54.4.
The primary impact of CVE-2026-29039 is the potential for unauthorized file access. An attacker can craft malicious XPath expressions within the include_filters field, utilizing the unparsed-text() function to read sensitive files from the server's filesystem. This could include configuration files, source code, database credentials, or any other file accessible to the changedetection-io process. Successful exploitation could lead to data breaches, compromise of system credentials, and potentially, further exploitation of the underlying system. The blast radius depends on the permissions of the changedetection-io process and the sensitivity of the files it can access.
CVE-2026-29039 was publicly disclosed on 2026-03-04. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the application's input fields.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-29039 is to immediately upgrade to version 0.54.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting the use of XPath expressions and rigorously validating any user-supplied input is crucial. Implement input sanitization to prevent the injection of malicious unparsed-text() calls. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious XPath expressions. After upgrading, confirm the vulnerability is resolved by attempting to access a sensitive file using a crafted XPath expression; the request should be denied.
Update changedetection.io to version 0.54.4 or higher. This version fixes the vulnerability that allows arbitrary file reading through the unparsed-text() function in XPath expressions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29039 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a changedetection-io server through crafted XPath expressions. It affects versions up to 0.54.3.
You are affected if you are running changedetection-io version 0.54.3 or earlier. Check your version and upgrade immediately.
Upgrade to version 0.54.4 or later. As a temporary workaround, restrict XPath expression usage and validate user input.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the changedetection-io project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.