changedetection.io XXE Vulnerability

An XML External Entity (XXE) vulnerability exists in changedetection.io version 0.54.9 and earlier. The vulnerability resides within the xpath_filter() function in changedetectionio/html_tools.py:287. This function creates an XML parser without disabling external entity resolution, external DTD loading, or network-backed entity lookup. An attacker can exploit this by controlling a watched XML/RSS response body and using an XPath include filter. Successful exploitation allows the attacker to read arbitrary local files from the system running changedetection.io, potentially leading to information disclosure. This issue was reported on May 4, 2026 (GHSA-v7cp-2cx9-x793) and assigned CVE-2026-41895.

Attack Chain

1. Attacker identifies a changedetection.io instance monitoring an XML/RSS feed.
2. Attacker crafts a malicious XML/RSS response containing an external entity declaration referencing a local file (e.g., /etc/passwd).
3. Attacker ensures the watched URL returns the malicious XML/RSS content.
4. The changedetection.io instance fetches the XML/RSS content from the monitored URL.
5. The application’s stream detection identifies the content as XML/RSS.
6. The XPath include filter is triggered, invoking the vulnerable xpath_filter() function.
7. etree.fromstring() parses the untrusted XML bytes, resolving the external entity and reading the referenced local file.
8. The contents of the local file are exposed in extracted watch output, diff history, or downstream notification channels.

Impact

Successful exploitation of this XXE vulnerability (CVE-2026-41895) can lead to the disclosure of sensitive local files on the server running changedetection.io. The impact includes potential exposure of configuration files, credentials, or other sensitive data, which could be leveraged for further attacks or unauthorized access. While the number of affected installations is unknown, any instance of changedetection.io version 0.54.9 or earlier that monitors attacker-controlled XML/RSS feeds using XPath filters is potentially vulnerable.

Recommendation

• Upgrade changedetection.io to a version beyond 0.54.9 to remediate the vulnerability.
• Apply the remediation steps suggested by the original report: Harden XML parser construction with resolve_entities=False, load_dtd=False, and no_network=True.
• Implement the Sigma rule Detect Changedetection.io XXE Vulnerability Attempt to detect potential XXE attacks against changedetection.io instances by monitoring for suspicious XML parsing events.
• Enable webserver logging to activate the rule above (logsource: category: webserver, product: linux).