CVE-2026-29039
Published: 06 March 2026
Summary
CVE-2026-29039 is a high-severity Code Injection (CWE-94) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing changedetection.io web app enables unauthenticated remote file read via unsanitized XPath expressions (unparsed-text()), directly mapping to exploitation of public-facing applications for collection of data from the local system (including credentials/configs).
NVD Description
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library…
more
which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.
Deeper analysisAI
CVE-2026-29039 affects changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.4. The vulnerability arises in the application's handling of user-supplied XPath expressions provided via the include_filters field for content filtering. These expressions are processed using the elementpath library, which supports XPath 3.0/3.1 and includes the unparsed-text() function capable of reading arbitrary files from the filesystem. The application lacks validation or sanitization of these expressions, enabling unauthorized file access to any files readable by the application process. The issue is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious XPath expression containing the unparsed-text() function and submitting it through the include_filters field, an attacker gains the ability to read sensitive files accessible to the changedetection.io process, such as configuration files, credentials, or other local data.
The vulnerability has been addressed in changedetection.io version 0.54.4, as detailed in the project's security advisory (GHSA-6fmw-82m7-jq6p), release notes, and associated patch commit, which implement proper validation to block dangerous XPath functions. Security practitioners should upgrade to version 0.54.4 or later and review access controls for instances exposing the include_filters functionality.
Details
- CWE(s)