This vulnerability allows the use of the jq environment variable builtin within include filter expressions in changedetection.io. When an authenticated user (or an unauthenticated user if no password is enabled) adds a watch, the process environment variables are read and stored as part of the watch snapshot. Secrets such as SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, or any other secrets exported to the container become visible to users with access to the watch data, thereby breaching confidentiality.

The flaw affects the open-source web page change detection tool provided by dgtlmoon:changedetection.io. All installations running a version earlier than 0.54.7 are vulnerable. Users who operate the application without authentication or with domain‑scope authentication can trigger the data leakage.

The CVSS v3.1 score of 8.3 classifies this as a High severity vulnerability. The EPSS score is below 1%, indicating a low likelihood of being exploited in the wild, and it is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely local / application, where an attacker can send a crafted request that includes a jq filter. Successful exploitation results in exposure of environment secrets to the attacker, which could lead to further compromise of the host or other systems if those secrets are used for privileged access.