CVE-2026-29039

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.4

Description The changedetection.io application allows users to specify XPath expressions as content filters via the include filters field. These XPath expressions are processed using the elementpath library, which implements XPath 3.0/3.1 specifications. XPath 3.0 includes the unparsed-text() function, which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. The vulnerable code resides in the html tools.py file, specifically within the xpath filter() function (lines 187-220). The application's validation in forms.py only checks for syntactical validity of the XPath expression and does not prevent the use of dangerous functions like unparsed-text(). An attacker can exploit this by setting the include filters field to an XPath expression that utilizes unparsed-text() to read arbitrary files, such as /etc/passwd.

Recommendations Update to changedetection.io version 0.54.4 or later.