The flaw lies in the /static/<group>/<filename> endpoint of the web application, which accepts a path component of ".." and passes it to a file‑system call without normalizing the path. This allows an attacker to request files outside the intended static directory, exposing the application’s source code and other sensitive files. The weakness is a classic relative path traversal issue, classified as CWE‑22. The vulnerability does not provide execution capabilities or privilege escalation; its primary impact is confidentiality breach of application files.

Products affected are changedetection.io from dgtlmoon. The issue exists in all releases before version 0.53.2. The 0.53.2 release contains a fix that removes the vulnerable logic.

The CVSS score is 5.3, indicating a moderate severity, and the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Exfiltration can occur through simple unauthenticated HTTP requests to URLs such as /static/../flask_app.py, which the application will serve as plain text. While the attack surface is limited to reading files on the host, an attacker could leverage the information to identify hard‑coded secrets or design further exploitation steps. No additional authentication or race conditions are required for success, making the attack vector straightforward yet confined to the local file system of the web server.