CVE-2026-43891

HIGH

changedetection.io: Arbitrary Local File Read via crafted backup restore

Title source: cna

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56

Vendor Advisory

https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-73

Status published

Products (3)

dgtlmoon/changedetection.io < 0.55.1

pypi/changedetection.io 0 - 0.55.1PyPI

webtechnologies/changedetection < 0.55.1

Published May 12, 2026

Tracked Since May 12, 2026