CVE-2026-35000 is a vulnerability identified in the SafeXPath3Parser component of ChangeDetection.io, a web monitoring tool developed by dgtlmoon. The issue stems from an incomplete list of disallowed XPath 3.0/3.1 functions, specifically those that can access local files such as json-doc() and similar primitives. XPath is a language used to query XML documents, and in this context, the parser is intended to restrict dangerous functions to prevent unauthorized file access. However, the blocklist implemented in versions prior to 0.54.7 is insufficient, allowing attackers to bypass these restrictions. By crafting malicious XPath expressions that leverage unblocked functions, an attacker can read arbitrary files from the local filesystem where ChangeDetection.io is running. This can expose sensitive configuration files, credentials, or other private data. The vulnerability does not require user interaction or authentication but does require the attacker to have some level of access to submit XPath queries to the application. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. While no exploits are currently known in the wild, the public disclosure and high severity rating highlight the urgency for remediation. The vulnerability is classified under CWE-184 (Incomplete List of Disallowed Inputs), reflecting the failure to comprehensively block dangerous input vectors.

The primary impact of CVE-2026-35000 is the unauthorized disclosure of sensitive local files on systems running vulnerable versions of ChangeDetection.io. This can lead to leakage of confidential information such as credentials, internal configuration, or proprietary data, potentially enabling further attacks like privilege escalation or lateral movement. Since the vulnerability can be exploited remotely over the network without authentication or user interaction, it poses a significant risk to organizations relying on ChangeDetection.io for web monitoring. The confidentiality breach can undermine trust and compliance with data protection regulations. Although availability and integrity impacts are not directly indicated, the exposure of sensitive files can indirectly facilitate other attacks that affect system stability or data integrity. The scope of affected systems is limited to those running vulnerable versions of the product, but given the network accessibility and ease of exploitation, the threat is considerable for organizations using this software in production environments.

Organizations should immediately upgrade ChangeDetection.io to version 0.54.7 or later, where the vulnerability has been addressed by properly blocking dangerous XPath functions. If upgrading is not immediately possible, administrators should implement strict input validation and sanitization on XPath queries to ensure no unapproved functions like json-doc() are allowed. Employing runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious XPath expressions can provide interim defense. Restricting access to the ChangeDetection.io interface to trusted networks and users reduces exposure. Regularly auditing logs for unusual XPath queries can help detect attempted exploitation. Additionally, applying the principle of least privilege to the ChangeDetection.io process limits the impact of any successful file access. Finally, organizations should monitor vendor advisories for patches and updates related to this vulnerability.