CVE-2026-41895

Name of the Vulnerable Software and Affected Versions changedetection.io versions 0.54.9 and earlier

Description The software contains an XML External Entity (XXE) issue where the xpath filter() function switches to XML mode for XML/RSS content and creates an etree.XMLParser(strip cdata=False) without disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly using etree.fromstring(). This can allow an attacker who controls a monitored XML/RSS response body to use an XPath include filter to trigger the parsing of external entity declarations, potentially leading to local file disclosure where sensitive files are exposed in watch output, diff history, and notification channels.

Recommendations For versions 0.54.9 and earlier, harden the XML parser construction by setting resolve entities=False, load dtd=False, and no network=True. As a temporary mitigation, avoid using XPath include filters on untrusted XML/RSS content.