Changedetection.io is an open-source web page change detection tool that allows users to specify XPath expressions as content filters via the include_filters field. Prior to version 0.54.4, the application uses the elementpath library to process these XPath expressions, which supports XPath 3.0/3.1 specifications. XPath 3.0 introduces the unparsed-text() function, which can read arbitrary files from the filesystem. Because changedetection.io does not validate or sanitize user-supplied XPath expressions to block dangerous functions like unparsed-text(), an attacker can craft malicious XPath expressions to read any file accessible to the application process. This constitutes a code injection vulnerability categorized under CWE-94 (Improper Control of Generation of Code). Exploitation requires no authentication or user interaction and can be performed remotely if the application is exposed. The vulnerability allows attackers to exfiltrate sensitive files, including configuration files, credentials, or other sensitive data residing on the server. The issue was patched in version 0.54.4 by restricting or sanitizing XPath expressions to prevent abuse of the unparsed-text() function. No known exploits are reported in the wild yet, but the vulnerability's characteristics make it a critical risk for affected deployments.

The primary impact of CVE-2026-29039 is the unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers can leverage this vulnerability to access configuration files, environment variables, private keys, or other sensitive data stored on the server running changedetection.io. This can lead to further compromise of the system or lateral movement within the network. Since the vulnerability requires no authentication or user interaction, any exposed instance of changedetection.io running a vulnerable version is at immediate risk. Organizations relying on changedetection.io for monitoring web content may inadvertently expose critical internal data if the application is accessible to untrusted users or the internet. The confidentiality breach can have severe consequences, including data leaks, intellectual property theft, and compliance violations. The integrity and availability of the application are less directly impacted, but subsequent attacks leveraging stolen data could affect these aspects. The vulnerability’s high CVSS score (8.8) reflects its ease of exploitation and high impact on confidentiality.

To mitigate CVE-2026-29039, organizations should upgrade changedetection.io to version 0.54.4 or later immediately, as this version includes patches that sanitize and restrict XPath expressions to prevent abuse of the unparsed-text() function. If upgrading is not immediately possible, administrators should restrict access to the changedetection.io service to trusted users only, ideally limiting network exposure via firewalls or VPNs. Additionally, review and audit any user-supplied XPath filters to detect and remove potentially malicious expressions. Implement application-layer input validation to block XPath functions that can access the filesystem, such as unparsed-text(). Monitoring logs for suspicious XPath queries or unusual file access patterns can help detect exploitation attempts. Finally, consider isolating the application in a restricted environment with minimal filesystem permissions to limit the impact of any successful exploit. Regularly review and apply security updates for all dependencies, including the elementpath library.