CVE-2026-29039
Arbitrary File Read via XPath Injection in changedetection.io
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform arbitrary file reads on the system where changedetection.io is running, limited to files accessible by the application process.
- Exposure of sensitive files such as configuration files, credentials, and API keys.
- Disclosure of application source code and database files (e.g., SQLite files).
- Potential leakage of environment variables and other sensitive runtime information.
Such exposure can lead to further attacks, data breaches, or unauthorized access to critical systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The vulnerability CVE-2026-29039 affects the changedetection.io application versions up to 0.54.3. It allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library implementing XPath 3.0/3.1, which includes the unparsed-text() function capable of reading arbitrary files from the filesystem.
The application does not validate or sanitize these XPath expressions to block dangerous functions like unparsed-text(). As a result, an attacker can craft XPath expressions that read any file accessible to the application process, such as configuration files, credentials, or source code.
This vulnerability was patched in version 0.54.4 by replacing the XPath parser with a safe subclass that disables unsafe functions and by enhancing validation to reject dangerous XPath expressions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the changedetection.io application is running a vulnerable version (β€ 0.54.3) and if it allows XPath expressions containing dangerous functions like unparsed-text() in the include_filters field.'}, {'type': 'paragraph', 'content': 'One practical detection method is to create or inspect existing watch configurations for XPath expressions that use the unparsed-text() function or other unsafe XPath 3.0 functions.'}, {'type': 'paragraph', 'content': "A proof-of-concept exploit involves creating a watch with an XPath filter such as unparsed-text('file:///etc/passwd') and triggering a recheck to see if arbitrary file contents are returned."}, {'type': 'paragraph', 'content': 'Commands or steps to detect exploitation attempts or presence of the vulnerability include:'}, {'type': 'list_item', 'content': 'Review changedetection.io configuration files or datastore entries for XPath expressions containing unparsed-text() or similar functions.'}, {'type': 'list_item', 'content': 'Monitor application logs or snapshots for unexpected file content outputs, such as contents of /etc/passwd or other sensitive files.'}, {'type': 'list_item', 'content': "Use a script or manual test to submit an XPath filter with unparsed-text('file:///etc/passwd') and observe if the file content is returned in the UI or logs."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched.
The patch replaces the vulnerable XPath3Parser with a SafeXPath3Parser that disables unsafe XPath functions such as unparsed-text(), unparsed-text-lines, doc, environment-variable, and others.
Additionally, the patch enforces validation that rejects XPath expressions containing these dangerous functions at form submission and during XPath evaluation.
If upgrading immediately is not possible, consider:
- Disabling or restricting user input of XPath expressions in the include_filters field to prevent use of unsafe functions.
- Manually auditing and removing any existing XPath filters that use unsafe functions.
- Monitoring for suspicious activity or unexpected file content exposure.