CVE-2026-29039
Published: 06 March 2026
Summary
CVE-2026-29039 is a high-severity Code Injection (CWE-94) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29039 affects changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.4. The vulnerability arises in the application's handling of user-supplied XPath expressions provided via the include_filters field for content filtering. These expressions are processed using the elementpath library, which supports XPath 3.0/3.1 and includes the unparsed-text() function capable of reading arbitrary files from the filesystem. The application lacks validation or sanitization of these expressions, enabling unauthorized file access to any files readable by the application process. The issue is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious XPath expression containing the unparsed-text() function and submitting it through the include_filters field, an attacker gains the ability to read sensitive files accessible to the changedetection.io process, such as configuration files, credentials, or other local data.
The vulnerability has been addressed in changedetection.io version 0.54.4, as detailed in the project's security advisory (GHSA-6fmw-82m7-jq6p), release notes, and associated patch commit, which implement proper validation to block dangerous XPath functions. Security practitioners should upgrade to version 0.54.4 or later and review access controls for instances exposing the include_filters functionality.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10012
Vulnerability details
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library…
more
which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing changedetection.io web app enables unauthenticated remote file read via unsanitized XPath expressions (unparsed-text()), directly mapping to exploitation of public-facing applications for collection of data from the local system (including credentials/configs).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied XPath expressions in the include_filters field to block dangerous functions like unparsed-text() that enable arbitrary file reads.
Mandates timely patching of the specific flaw in changedetection.io versions prior to 0.54.4, which implements XPath validation to prevent exploitation.
Limits the damage from arbitrary file reads by ensuring the application process operates with least privilege, restricting access to sensitive files.