CVE-2026-29065 is a path traversal vulnerability identified in the open-source web page change detection tool changedetection.io, specifically affecting versions prior to 0.54.4. The vulnerability stems from improper limitation of pathname during the backup restore functionality, where the application fails to adequately sanitize file paths within uploaded ZIP archives. This flaw is a classic example of a Zip Slip vulnerability, allowing an attacker to craft a malicious ZIP file containing file paths that traverse directories (e.g., using '../') to overwrite arbitrary files on the host system outside the intended extraction directory. Because the backup restore feature processes these ZIP files without sufficient validation, an attacker can remotely upload a specially crafted archive to overwrite critical system or application files, potentially leading to system compromise, data corruption, or denial of service. The vulnerability does not require any authentication or user interaction, making it highly exploitable over the network. The CVSS 4.0 base score of 8.8 reflects the high impact on confidentiality and integrity, with no privileges or user interaction needed. The vulnerability was publicly disclosed and patched in version 0.54.4, but no known exploits have been reported in the wild as of now. Organizations using changedetection.io in production environments should urgently upgrade to the patched version to eliminate this risk.

The impact of CVE-2026-29065 is significant for organizations relying on changedetection.io for web page monitoring and change detection. Successful exploitation allows attackers to overwrite arbitrary files on the host system, which can lead to several severe consequences: unauthorized modification or deletion of critical system or application files, potential remote code execution if executable files or scripts are overwritten, disruption of service due to corrupted backups or application malfunction, and compromise of data integrity. Since the vulnerability requires no authentication and can be exploited remotely, it poses a high risk of automated attacks and widespread exploitation if left unpatched. Organizations with sensitive data or critical infrastructure relying on changedetection.io could face operational disruptions, data breaches, or further lateral movement within their networks. The absence of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and high impact make this a critical vulnerability to address promptly.

To mitigate CVE-2026-29065, organizations should immediately upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched. If upgrading is temporarily not possible, implement strict network controls to restrict access to the backup restore functionality, limiting it to trusted administrators and internal networks only. Employ file integrity monitoring on the host system to detect unauthorized changes to critical files that could indicate exploitation attempts. Additionally, review and harden the permissions of directories used for backup restoration to prevent unauthorized file overwrites. Consider implementing application-layer filtering or validation proxies that inspect uploaded ZIP files for suspicious path traversal patterns before processing. Regularly audit and monitor logs related to backup restore operations to detect anomalous activities. Finally, educate system administrators about the risks of processing untrusted ZIP archives and enforce strict operational procedures around backup restoration.