Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.
Published: 2026-03-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Apply Patch
AI Analysis

Impact

A zip slip flaw in the backup restore function of changedetection.io enables an attacker to craft a ZIP archive that extracts files to arbitrary locations on the server, resulting in overwriting existing files. The vulnerability is associated with CWE‑22 path traversal. Based on the description, it is inferred that overwriting executable or configuration files could lead to remote code execution or disruption of service, although the CVE does not explicitly state these outcomes.

Affected Systems

The affected product is dgtlmoon's changedetection.io, an open‑source web page change detection service. All releases prior to version 0.54.4 are vulnerable. The security advisory indicates that patching to version 0.54.4 or later resolves the issue.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity, and the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The risk is highest when the backup restore endpoint is exposed to users without strong authentication or authorization controls. Although the vulnerability is not listed in CISA's KEV catalog, the potential for critical file overwrite warrants swift remediation. The likely attack vector is remote: an attacker uploads a malicious ZIP during a restoration operation and triggers the path traversal when the archive is unpacked.

Generated by OpenCVE AI on April 17, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade changedetection.io to version 0.54.4 or later to apply the vendor fix for the zip slip issue.
  • If upgrading cannot be performed immediately, limit the backup restore functionality to trusted administrators only or disable the feature until a patch is available.
  • Implement input validation that detects and rejects ZIP entries containing path traversal characters before extraction, following best practices for mitigating CWE‑22.

Generated by OpenCVE AI on April 17, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25g8-2mcf-fcx9 changedetection.io has Zip Slip vulnerability in the backup restore functionality
History

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtechnologies
Webtechnologies changedetection
CPEs cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*
Vendors & Products Webtechnologies
Webtechnologies changedetection
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Fri, 06 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.
Title changedetection.io: Zip Slip vulnerability in the backup restore functionality
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dgtlmoon Changedetection.io
Webtechnologies Changedetection
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:59:16.113Z

Reserved: 2026-03-03T20:51:43.482Z

Link: CVE-2026-29065

cve-icon Vulnrichment

Updated: 2026-03-09T19:59:10.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:02.437

Modified: 2026-03-10T20:00:57.860

Link: CVE-2026-29065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses