CVE-2026-29065 is a path traversal vulnerability classified under CWE-22 affecting changedetection.io, an open-source web page change detection tool. The flaw exists in versions prior to 0.54.4 within the backup restore functionality, where the application improperly limits pathname traversal during extraction of uploaded ZIP archives. This Zip Slip vulnerability allows an attacker to craft a malicious ZIP file containing files with path traversal sequences (e.g., ../) that escape the intended extraction directory. When the backup restore process extracts these files, it can overwrite arbitrary files on the host filesystem, potentially including critical system or application files. The vulnerability requires no authentication or user interaction and can be exploited remotely by submitting a malicious ZIP archive to the backup restore feature. The CVSS 4.0 score of 8.8 reflects the vulnerability’s network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to the widespread use of changedetection.io for monitoring web content changes. The issue was addressed in version 0.54.4 by properly sanitizing and restricting file paths during ZIP extraction to prevent directory traversal. Organizations running affected versions should prioritize upgrading to the patched release to prevent arbitrary file overwrite and potential system compromise.

The vulnerability enables attackers to overwrite arbitrary files on the host system, which can lead to severe consequences including unauthorized modification or replacement of critical configuration files, application binaries, or system files. This can result in system instability, data corruption, privilege escalation, or remote code execution if malicious payloads are placed and executed. The compromise of confidentiality and integrity is high since attackers can manipulate sensitive files without authentication. Availability impact is less direct but possible if critical system files are corrupted. Because exploitation requires no privileges or user interaction and can be performed remotely, the scope of affected systems is broad wherever vulnerable versions are deployed. Organizations relying on changedetection.io for monitoring or backup restoration are at risk of operational disruption and potential further compromise of their infrastructure.

1. Immediately upgrade changedetection.io to version 0.54.4 or later, which contains the patch that properly sanitizes ZIP archive paths during extraction. 2. Implement strict input validation and sanitization on all file uploads, especially ZIP archives, to reject files containing path traversal sequences before processing. 3. Employ the principle of least privilege by running the changedetection.io service with minimal filesystem permissions, restricting write access only to necessary directories to limit the impact of potential exploitation. 4. Monitor logs for unusual backup restore activities or unexpected file modifications indicative of exploitation attempts. 5. Use application-level sandboxing or containerization to isolate the changedetection.io process, reducing the risk of system-wide compromise. 6. Regularly audit and verify backup and restore processes to ensure integrity and detect unauthorized changes. 7. Educate administrators and users about the risks of processing untrusted ZIP files and enforce secure operational procedures.