Cyber Resilience

CVE-2026-43891

HighPublic PoC

Published: 12 May 2026

Published
12 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 11.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43891 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP…

more

is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary local file read via malicious backup restore in public-facing web app directly enables data collection from local system and exploitation of the exposed application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29039Same product: Webtechnologies Changedetection
CVE-2026-29065Same product: Webtechnologies Changedetection
CVE-2026-35490Same product: Webtechnologies Changedetection
CVE-2026-27696Same product: Webtechnologies Changedetection
CVE-2026-33354Shared CWE-73
CVE-2026-5210Shared CWE-73
CVE-2026-8043Shared CWE-73
CVE-2026-29611Shared CWE-73
CVE-2026-29962Shared CWE-73
CVE-2025-53912Shared CWE-73

Affected Assets

webtechnologies
changedetection
≤ 0.55.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References