Description
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
Published: 2026-05-12
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

changedetection.io 0.54.9 and earlier parse XML input without disabling external entity resolution, exposing the application to XML External Entity attacks that can cause the application to read local files or fetch network resources. This flaw is consistent with CWE-611 and may result in disclosure of sensitive information without any additional exploitation steps.

Affected Systems

The affected product is changedetection.io from vendor dgtlmoon, all releases 0.54.9 and earlier. Installations running these versions remain vulnerable until updated.

Risk and Exploitability

The CVSS score of 8.2 classifies this flaw as high severity. EPSS information is not available, so the probability of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the defect by providing crafted XML to the xpath_filter feature, which the application unconditionally processes. Successful exploitation requires only that the application accept user‑supplied XML, making this a realistic threat for deployments that expose the feed parser to untrusted content.

Generated by OpenCVE AI on May 12, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade changedetection.io to a version newer than 0.54.9 that disables external entity resolution in the XML parser.
  • If an upgrade is not possible, modify the source to instantiate the XML parser with options that prohibit external entities, disable DTD loading, and prevent network-backed entity lookup.
  • As a temporary measure, filter or reject any XML document containing DTD declarations before it reaches the xpath_filter function, and block outbound connections used by the XML parser to stop network entity resolution.

Generated by OpenCVE AI on May 12, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v7cp-2cx9-x793 changedetection.io project has an XXE vulnerability
History

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
Title changedetection.io: XXE vulnerability in the changedetection.io project
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dgtlmoon Changedetection.io
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:52:23.680Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41895

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:23.493

Modified: 2026-05-12T18:17:23.493

Link: CVE-2026-41895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses