CVE-2026-33981

MEDIUM

Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters

Title source: cna

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue.

References (3)

[X_Refsource_Confirm] https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8

[X_Refsource_Misc] https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

dgtlmoon/changedetection.io < 0.54.7

pypi/changedetection.io 0 - 0.54.7PyPI

webtechnologies/changedetection < 0.54.7

Published Mar 27, 2026

Tracked Since Mar 29, 2026