PT-2026-29588 · Unknown · Changedetection.Io
Published
2026-04-01
·
Updated
2026-04-02
·
CVE-2026-35000
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
ChangeDetection.io versions prior to 0.54.7
Description
ChangeDetection.io contains a protection bypass in the SafeXPath3Parser implementation. This allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions like
json-doc() and similar file-access primitives. The incomplete blocklist of dangerous XPath functions enables access to sensitive data on the local filesystem.Recommendations
Update to version 0.54.7 or later.
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Changedetection.Io