प्लेटफ़ॉर्म
python
घटक
changedetection-io
में ठीक किया गया
0.54.5
0.54.4
CVE-2026-29039 describes an Arbitrary File Access vulnerability within the changedetection-io application. This flaw allows attackers to read arbitrary files accessible to the application process by exploiting the unparsed-text() function within XPath expressions. The vulnerability impacts versions of changedetection-io up to 0.54.3, and a patch is available in version 0.54.4.
The primary impact of CVE-2026-29039 is the potential for unauthorized file access. An attacker can craft malicious XPath expressions within the include_filters field, utilizing the unparsed-text() function to read sensitive files from the server's filesystem. This could include configuration files, source code, database credentials, or any other file accessible to the changedetection-io process. Successful exploitation could lead to data breaches, compromise of system credentials, and potentially, further exploitation of the underlying system. The blast radius depends on the permissions of the changedetection-io process and the sensitivity of the files it can access.
CVE-2026-29039 was publicly disclosed on 2026-03-04. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to the application's input fields.
Organizations deploying changedetection-io, particularly those using it to monitor websites with sensitive content, are at risk. Shared hosting environments where multiple users have access to the changedetection-io instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's configuration.
• python / server:
find / -name 'changedetection.io' -type d -print0 | xargs -0 grep -i 'unparsed-text()' • generic web:
curl -I http://your-changedetection-io-instance/ | grep -i 'include_filters'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (2% शतमक)
CISA SSVC
The recommended mitigation for CVE-2026-29039 is to immediately upgrade to version 0.54.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting the use of XPath expressions and rigorously validating any user-supplied input is crucial. Implement input sanitization to prevent the injection of malicious unparsed-text() calls. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious XPath expressions. After upgrading, confirm the vulnerability is resolved by attempting to access a sensitive file using a crafted XPath expression; the request should be denied.
Actualice changedetection.io a la versión 0.54.4 o superior. Esta versión corrige la vulnerabilidad que permite la lectura arbitraria de archivos a través de la función unparsed-text() en las expresiones XPath.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29039 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a changedetection-io server through crafted XPath expressions. It affects versions up to 0.54.3.
You are affected if you are running changedetection-io version 0.54.3 or earlier. Check your version and upgrade immediately.
Upgrade to version 0.54.4 or later. As a temporary workaround, restrict XPath expression usage and validate user input.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the changedetection-io project's release notes and security advisories on their GitHub repository for the latest information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।