CVE-2026-25527

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.53.2

Description changedetection.io is a web page change detection tool. Versions prior to 0.53.2 are susceptible to an unauthenticated local file read of application source files. The /static/<group>/<filename> API endpoint allows the group parameter to be set to "..", which results in the execution of send from directory("static/..", filename). This action elevates the base directory to /app/changedetectionio, potentially exposing source files like flask app.py.

Recommendations Update to version 0.53.2 or later.