CVE-2026-41895
HIGHchangedetection.io: XXE vulnerability in the changedetection.io project
Title source: cnaDescription
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793
Scores
CVSS v3
7.5
EPSS
0.0005
EPSS Percentile
14.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (3)
dgtlmoon/changedetection.io
<= 0.54.9
pypi/changedetection.io
0 - 0.54.9PyPI
webtechnologies/changedetection
< 0.54.9
Published
May 12, 2026
Tracked Since
May 12, 2026