Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.
Published: 2026-03-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Patch
AI Analysis

Impact

The vulnerability resides in changedetection.io's processing of XPath expressions supplied via the include_filters field. The elementpath library implements XPath 3.0/3.1 and supports the unparsed-text() function, which can read any file on the filesystem. Because the application fails to validate or sanitize the XPath expression, an attacker can craft an expression that invokes unparsed-text() and obtain the contents of any file the application process can access.

Affected Systems

All installations of dgtlmoon:changedetection.io built before version 0.54.4 are affected. The vulnerable functionality is the include_filters configuration that accepts arbitrary XPath expressions.

Risk and Exploitability

CVSS 8.8 indicates a high severity of arbitrary file access. EPSS score is lower than 1% suggesting the likelihood of exploitation is low but not zero. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves an attacker submitting a malicious XPath expression via the include_filters field, either through a public-facing API or an exposed configuration mechanism. No authentication or privileged user rights are required, assuming the application accepts unauthenticated filter input. The attack would allow the attacker to read any file readable by the application process, potentially exposing sensitive configuration, logs, or credentials.

Generated by OpenCVE AI on April 16, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade changedetection.io to version 0.54.4 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, disable or heavily restrict the use of XPath expressions in the include_filters field, or implement input validation to reject expressions that dangerous functions such as unparsed-text().
  • Review the application’s deployment to ensure it runs under a dedicated least‑privilege user, limiting the scope of files that can be read even if a malicious expression is executed.

Generated by OpenCVE AI on April 16, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6fmw-82m7-jq6p changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text()
History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Webtechnologies
Webtechnologies changedetection
CPEs cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*
Vendors & Products Webtechnologies
Webtechnologies changedetection
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Fri, 06 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.
Title changedetection.io: XPath - Arbitrary File Read via unparsed-text()
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dgtlmoon Changedetection.io
Webtechnologies Changedetection
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:58:22.717Z

Reserved: 2026-03-03T17:50:11.242Z

Link: CVE-2026-29039

cve-icon Vulnrichment

Updated: 2026-03-09T19:58:18.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:01.573

Modified: 2026-03-10T19:37:32.177

Link: CVE-2026-29039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses