The vulnerability lies in the SafeXPath3Parser implementation of ChangeDetection.io, where the blocklist of dangerous XPath 3.0/3.1 functions is incomplete. Attackers can supply malicious XPath expressions that include file‑access primitives such as json-doc() to read arbitrary local files. This allows a compromise of confidentiality by exposing sensitive data that resides on the host filesystem, with a CVSS score of 7.1 indicating a high risk severity.

Any deployment of ChangeDetection.io with a version earlier than 0.54.7 is affected. The product is maintained by the dgtlmoon project. No additional vendor or product names are listed, and the impacted versions are all releases preceding 0.54.7 unless otherwise patched.

The CVSS score of 7.1 reflects a considerable threat, though the EPSS score is not available and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote; an attacker can invoke the vulnerable parser by submitting crafted XPath expressions through the web interface or API, assuming the target system is reachable and the parser is not restricted. Because the vulnerability exploitable via an input data field, the prerequisites are minimal: network access and the ability to supply input. The exploitation can lead to read access to any local file, potentially exposing configuration files, secrets, or other sensitive data.