{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35000", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-31T20:40:15.617Z", "datePublished": "2026-04-01T18:09:35.793Z", "dateUpdated": "2026-04-01T19:06:41.847Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T18:09:35.793Z"}, "title": "ChangeDetection.io < 0.54.7 SafeXPath3Parser Bypass Arbitrary File Read", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-184", "description": "CWE-184 Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "affected": [{"vendor": "dgtlmoon", "product": "ChangeDetection.io", "repo": "https://github.com/dgtlmoon/changedetection.io", "versions": [{"status": "affected", "version": "0", "lessThan": "0.54.7", "versionType": "semver"}, {"status": "unaffected", "version": "dadc804567a51f803cd6715f7885c11a247915f6", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem."}]}], "tags": ["x_open-source"], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "tags": ["release-notes"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/commit/dadc804567a51f803cd6715f7885c11a247915f6", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/changedetection-io-safexpath3parser-bypass-arbitrary-file-read", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Neo by ProjectDiscovery (https://neo.projectdiscovery.io)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:06:34.514422Z", "id": "CVE-2026-35000", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:06:41.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35000", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:06:34.514422Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:06:37.938Z"}}], "cna": {"tags": ["x_open-source"], "title": "ChangeDetection.io < 0.54.7 SafeXPath3Parser Bypass Arbitrary File Read", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Neo by ProjectDiscovery (https://neo.projectdiscovery.io)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/dgtlmoon/changedetection.io", "vendor": "dgtlmoon", "product": "ChangeDetection.io", "versions": [{"status": "affected", "version": "0", "lessThan": "0.54.7", "versionType": "semver"}, {"status": "unaffected", "version": "dadc804567a51f803cd6715f7885c11a247915f6", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "tags": ["release-notes"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/commit/dadc804567a51f803cd6715f7885c11a247915f6", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/changedetection-io-safexpath3parser-bypass-arbitrary-file-read", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.", "supportingMedia": [{"type": "text/html", "value": "ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184 Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-01T18:09:35.793Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35000", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:06:41.847Z", "dateReserved": "2026-03-31T20:40:15.617Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-01T18:09:35.793Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*", "matchCriteriaId": "70788C7C-32F4-4483-A7F7-83D5DC9D1C6A", "versionEndExcluding": "0.54.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem."}], "id": "CVE-2026-35000", "lastModified": "2026-04-21T00:15:47.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-01T19:16:33.750", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/dgtlmoon/changedetection.io/commit/dadc804567a51f803cd6715f7885c11a247915f6"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/changedetection-io-safexpath3parser-bypass-arbitrary-file-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.54.7)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "dadc804567a51f803cd6715f7885c11a247915f6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ChangeDetection.io", "source": "cna", "vendor": "dgtlmoon"}, "product": "changedetection.io", "vendor": "dgtlmoon"}], "analysis": {"en": {"generated_at": "2026-04-02T04:32:57.232071+00:00", "value": {"mitigation_remediation": ["Upgrade to ChangeDetection.io version 0.54.7 or later, which addresses the SafeXPath3Parser blocklist issue."], "summary": {"action": "Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "Any deployment of ChangeDetection.io with a version earlier than 0.54.7 is affected. The product is maintained by the dgtlmoon project. No additional vendor or product names are listed, and the impacted versions are all releases preceding 0.54.7 unless otherwise patched.", "description_and_impact": "The vulnerability lies in the SafeXPath3Parser implementation of ChangeDetection.io, where the blocklist of dangerous XPath 3.0/3.1 functions is incomplete. Attackers can supply malicious XPath expressions that include file\u2011access primitives such as json-doc() to read arbitrary local files. This allows a compromise of confidentiality by exposing sensitive data that resides on the host filesystem, with a CVSS score of 7.1 indicating a high risk severity.", "risk_and_exploitability": "The CVSS score of 7.1 reflects a considerable threat, though the EPSS score is not available and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote; an attacker can invoke the vulnerable parser by submitting crafted XPath expressions through the web interface or API, assuming the target system is reachable and the parser is not restricted. Because the vulnerability exploitable via an input data field, the prerequisites are minimal: network access and the ability to supply input. The exploitation can lead to read access to any local file, potentially exposing configuration files, secrets, or other sensitive data."}}}}, "created": "2026-04-02T07:48:02.147903+00:00", "updated": "2026-04-02T20:16:54.844241+00:00", "vendors": ["dgtlmoon", "dgtlmoon$PRODUCT$changedetection.io"]}