Executive Summary

CVE-2026-35000 is a vulnerability in ChangeDetection.io versions prior to 0.54.7 involving the SafeXPath3Parser component. It arises because certain dangerous XPath 3.0/3.1 functions, such as json-doc() and similar file-access primitives, were not properly blocked. This incomplete blocklist allows attackers to bypass protections and read arbitrary local files on the system.

The vulnerability exploits the ability to use unblocked XPath functions to access sensitive data from the local filesystem. The issue was fixed by adding these dangerous XPath functions to a blocklist, preventing their misuse.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with limited privileges to read arbitrary local files on the system running ChangeDetection.io. As a result, sensitive data stored locally could be exposed to unauthorized parties.

Because the vulnerability enables arbitrary file reads, it can lead to data leakage and compromise confidentiality, potentially exposing private or sensitive information.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the ChangeDetection.io installation is running a version prior to 0.54.7, as those versions contain the vulnerable SafeXPath3Parser implementation.

One way to detect exploitation attempts is to monitor logs or inputs for usage of dangerous XPath functions such as json-doc(), json-doc-available(), collection(), uri-collection(), transform(), and load-xquery-module(), which are known to be exploited for arbitrary file reads.

Since the vulnerability involves XPath expressions, you can search for suspicious XPath queries in application logs or network traffic that include these functions.

• Check the version of changedetection.io installed: `changedetection.io --version` or check the package version in your environment.
• Search application logs for usage of vulnerable XPath functions, e.g., using grep: `grep -E "json-doc|json-doc-available|collection|uri-collection|transform|load-xquery-module" /path/to/changedetection/logs/*`
• Monitor network traffic or API requests for XPath expressions containing these functions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade ChangeDetection.io to version 0.54.7 or later, where the vulnerability has been fixed by blocking dangerous XPath functions.

If immediate upgrade is not possible, you should restrict or block usage of the vulnerable XPath functions such as json-doc(), json-doc-available(), collection(), uri-collection(), transform(), and load-xquery-module() within your environment to prevent exploitation.

Additionally, monitor and audit logs for suspicious XPath queries attempting to access local files and restrict access permissions to sensitive files on the filesystem.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to read arbitrary local files, potentially exposing sensitive data stored on the local filesystem.

Exposure of sensitive data due to arbitrary file read vulnerabilities can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and health-related information.

Therefore, if exploited, this vulnerability could result in unauthorized disclosure of protected data, violating compliance requirements related to data privacy and security.

Useful 0 Not Useful 0