Vulnerability Description
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webtechnologies | Changedetection | < 0.54.7 |
Related Weaknesses (CWE)
References
- https://github.com/dgtlmoon/changedetection.io/commit/dadc804567a51f803cd6715f78Patch
- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7Release Notes
- https://www.vulncheck.com/advisories/changedetection-io-safexpath3parser-bypass-PatchThird Party Advisory
FAQ
What is CVE-2026-35000?
CVE-2026-35000 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPat...
How severe is CVE-2026-35000?
CVE-2026-35000 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35000?
Check the references section above for vendor advisories and patch information. Affected products include: Webtechnologies Changedetection.