Changedetection.io is an open-source web page change detection tool that allows users to specify XPath expressions as content filters via the include_filters field. Prior to version 0.54.4, the application uses the elementpath library to process these XPath expressions, which supports XPath 3.0/3.1 specifications. XPath 3.0 includes the unparsed-text() function, which can read arbitrary files from the filesystem. Because changedetection.io does not validate or sanitize the XPath expressions to block dangerous functions like unparsed-text(), an attacker can craft malicious XPath expressions to read any file accessible by the application process. This constitutes a code injection vulnerability categorized under CWE-94 (Improper Control of Generation of Code). The vulnerability allows remote, unauthenticated attackers to disclose sensitive information by reading arbitrary files, potentially including configuration files, credentials, or other sensitive data. The vulnerability has been assigned CVE-2026-29039 and carries a CVSS 4.0 score of 8.8 (high severity), reflecting its ease of exploitation (no privileges or user interaction required) and significant impact on confidentiality and integrity. The issue was patched in changedetection.io version 0.54.4 by presumably restricting or sanitizing XPath expressions to prevent abuse of dangerous functions. No known exploits have been reported in the wild as of the publication date.

This vulnerability can lead to severe confidentiality breaches by allowing attackers to read arbitrary files on the server running changedetection.io. Sensitive information such as application configuration files, credentials, private keys, or other protected data could be exposed. This can facilitate further attacks like privilege escalation, lateral movement, or data exfiltration. Since the vulnerability requires no authentication or user interaction, any attacker with network access to the affected service can exploit it remotely. The integrity of the system is also at risk because attackers might leverage disclosed information to manipulate or disrupt the application. Availability is less directly impacted but could be affected if attackers use the information to launch follow-up attacks. Organizations relying on changedetection.io for monitoring critical web content or internal resources may face operational risks and compliance issues if sensitive data is leaked. The vulnerability's high CVSS score underscores the critical need for timely remediation.

The primary mitigation is to upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched. If immediate upgrade is not possible, organizations should restrict access to the changedetection.io service to trusted networks only, preventing exposure to untrusted users. Implement network-level controls such as firewalls or VPNs to limit access. Additionally, review and sanitize any user-supplied XPath expressions if custom filters are used, disallowing dangerous XPath functions like unparsed-text(). Monitoring and logging access to the application can help detect suspicious activity. Conduct a thorough audit of files accessible to the application process and rotate any credentials or secrets that might have been exposed. Finally, consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions that can detect and block malicious XPath expressions or code injection attempts.