CVE-2026-25527 is a path traversal vulnerability classified under CWE-22 affecting changedetection.io, an open-source web page change detection tool. The vulnerability arises from improper validation of the 'group' parameter in the /static/<group>/<filename> route. Specifically, if 'group' is set to '..', the application calls send_from_directory with a base directory of 'static/..', effectively moving the base directory up to '/app/changedetectionio'. This allows an unauthenticated attacker to read arbitrary files within the application directory, including sensitive source code files like flask_app.py. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The CVSS 3.1 score is 5.3, reflecting a medium severity impact primarily on confidentiality, with no impact on integrity or availability. The flaw was addressed in version 0.53.2 by properly restricting directory traversal in the route handler. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in web applications, especially in open-source projects where source code disclosure can facilitate further attacks.

The primary impact of CVE-2026-25527 is unauthorized disclosure of application source code and potentially other sensitive files within the changedetection.io installation directory. Exposure of source code can reveal internal logic, credentials, API keys, or other secrets embedded in code, increasing the risk of further exploitation such as privilege escalation or remote code execution. Although the vulnerability does not allow modification or deletion of files, the confidentiality breach can undermine trust in the application and lead to targeted attacks. Organizations running vulnerable versions may face increased risk of intellectual property theft and exposure of sensitive configuration data. Since the vulnerability is remotely exploitable without authentication, any publicly accessible instance of changedetection.io is at risk. The medium CVSS score reflects a moderate but significant threat, especially in environments where changedetection.io is integrated with other critical systems or contains sensitive monitoring configurations.

To mitigate this vulnerability, organizations should upgrade changedetection.io to version 0.53.2 or later, where the path traversal flaw is fixed. If immediate upgrade is not feasible, implement strict input validation or filtering on the 'group' parameter to disallow directory traversal sequences such as '..'. Restrict network access to the changedetection.io service by using firewalls or VPNs to limit exposure to trusted users only. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the /static/ route. Regularly audit and monitor application logs for suspicious access patterns involving unusual path parameters. Additionally, consider running the application with least privilege file system permissions to limit the impact of any file disclosure. Finally, educate developers on secure coding practices to prevent similar issues in future releases.