CVE-2026-43891

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.55.1

Description An arbitrary local file disclosure issue exists due to the application trusting attacker-controlled snapshot paths restored from backup files. During the backup restore process, the application extracts a ZIP archive and copies watch UUID directories into the live datastore using shutil.copytree(), which preserves malicious files such as history.txt. The application then parses history.txt in the watch history property; if an entry contains path separators and the referenced external path exists, it is accepted as a valid path reference.

Subsequently, the get history snapshot() function reads the resolved path directly without verifying that it remains within the watch directory. This allows an attacker to supply a crafted backup ZIP containing a path to a sensitive local file (e.g., /etc/passwd) in history.txt. The contents of the targeted file are then disclosed through the Preview UI or the watch history API.

Recommendations Update to version 0.55.1.