CVE-2026-43891 - Vulnerability Details

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.

Published: 2026-05-12

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to read any file on the system by crafting a backup ZIP that contains paths pointing to arbitrary files. During restore, the application copies each watch directory directly into the live datastore, preserving the attacker‑controlled file structure, and then parses a history file that can be manipulated to expose local file contents. This flaw is a classic Local File Inclusion type, classified as CWE‑73, and can potentially expose configuration files, credentials, or other sensitive information.

Affected Systems

The affected product is changedetection.io from dgtlmoon. Versions prior to 0.55.1 are vulnerable; the issue was addressed in release 0.55.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑high severity. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker providing a crafted backup file to an administrator who has permission to restore backups, leading to arbitrary local file read. While the flaw does not allow remote code execution, gaining access to local files can still compromise confidentiality and potentially extend to higher privilege operations if sensitive files are disclosed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dgtlmoon

changedetection.io

affected

Version	Status	Constraints
`< 0.55.1`	affected	—

No data.

Vendor Product Confidence Versions

Dgtlmoon

Changedetection.io

100%

Version	Status	Scheme	Platform
`[0,0.55.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade changedetection.io to version 0.55.1 or later.
Restrict the backup restore functionality to trusted administrators and ensure that the backup ZIP source is physically secure or screened.
If an upgrade is not immediately possible, disable the backup restore feature or validate all file paths in the ZIP to prevent writing outside the intended watch directories.

Generated by OpenCVE AI on May 12, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8757-69j2-hx56	changedetection.io has an Arbitrary Local File Read via a crafted backup restore

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56

History

Tue, 12 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dgtlmoon Dgtlmoon changedetection.io
Vendors & Products		Dgtlmoon Dgtlmoon changedetection.io

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.
Title		changedetection.io: Arbitrary Local File Read via crafted backup restore
Weaknesses		CWE-73
References		https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Dgtlmoon Changedetection.io

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T16:56:33.823Z

Updated: 2026-05-12T16:56:33.823Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43891

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:17:28.493

Modified: 2026-05-12T18:17:28.493

Link: CVE-2026-43891

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T22:00:18Z

Weaknesses

CWE-73

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object