Cyber Resilience

CVE-2026-29039

HighPublic PoCRCE

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29039 is a high-severity Code Injection (CWE-94) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29039 affects changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.4. The vulnerability arises in the application's handling of user-supplied XPath expressions provided via the include_filters field for content filtering. These expressions are processed using the elementpath library, which supports XPath 3.0/3.1 and includes the unparsed-text() function capable of reading arbitrary files from the filesystem. The application lacks validation or sanitization of these expressions, enabling unauthorized file access to any files readable by the application process. The issue is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious XPath expression containing the unparsed-text() function and submitting it through the include_filters field, an attacker gains the ability to read sensitive files accessible to the changedetection.io process, such as configuration files, credentials, or other local data.

The vulnerability has been addressed in changedetection.io version 0.54.4, as detailed in the project's security advisory (GHSA-6fmw-82m7-jq6p), release notes, and associated patch commit, which implement proper validation to block dangerous XPath functions. Security practitioners should upgrade to version 0.54.4 or later and review access controls for instances exposing the include_filters functionality.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library…

more

which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in public-facing changedetection.io web app enables unauthenticated remote file read via unsanitized XPath expressions (unparsed-text()), directly mapping to exploitation of public-facing applications for collection of data from the local system (including credentials/configs).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43891Same product: Webtechnologies Changedetection
CVE-2026-29065Same product: Webtechnologies Changedetection
CVE-2026-35490Same product: Webtechnologies Changedetection
CVE-2026-27696Same product: Webtechnologies Changedetection
CVE-2025-66916Shared CWE-94
CVE-2024-11613Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94

Affected Assets

webtechnologies
changedetection
≤ 0.54.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied XPath expressions in the include_filters field to block dangerous functions like unparsed-text() that enable arbitrary file reads.

prevent

Mandates timely patching of the specific flaw in changedetection.io versions prior to 0.54.4, which implements XPath validation to prevent exploitation.

prevent

Limits the damage from arbitrary file reads by ensuring the application process operates with least privilege, restricting access to sensitive files.

References