{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/changedetection.io/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["changedetection.io (\u003c= 0.54.9)"],"_cs_severities":["high"],"_cs_tags":["XXE","vulnerability","changedetection.io"],"_cs_type":"advisory","_cs_vendors":["changedetection.io"],"content_html":"\u003cp\u003eAn XML External Entity (XXE) vulnerability exists in changedetection.io version 0.54.9 and earlier. The vulnerability resides within the \u003ccode\u003expath_filter()\u003c/code\u003e function in \u003ccode\u003echangedetectionio/html_tools.py:287\u003c/code\u003e. This function creates an XML parser without disabling external entity resolution, external DTD loading, or network-backed entity lookup. An attacker can exploit this by controlling a watched XML/RSS response body and using an XPath include filter. Successful exploitation allows the attacker to read arbitrary local files from the system running changedetection.io, potentially leading to information disclosure. This issue was reported on May 4, 2026 (GHSA-v7cp-2cx9-x793) and assigned CVE-2026-41895.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a changedetection.io instance monitoring an XML/RSS feed.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious XML/RSS response containing an external entity declaration referencing a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker ensures the watched URL returns the malicious XML/RSS content.\u003c/li\u003e\n\u003cli\u003eThe changedetection.io instance fetches the XML/RSS content from the monitored URL.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s stream detection identifies the content as XML/RSS.\u003c/li\u003e\n\u003cli\u003eThe XPath include filter is triggered, invoking the vulnerable \u003ccode\u003expath_filter()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eetree.fromstring()\u003c/code\u003e parses the untrusted XML bytes, resolving the external entity and reading the referenced local file.\u003c/li\u003e\n\u003cli\u003eThe contents of the local file are exposed in extracted watch output, diff history, or downstream notification channels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability (CVE-2026-41895) can lead to the disclosure of sensitive local files on the server running changedetection.io. The impact includes potential exposure of configuration files, credentials, or other sensitive data, which could be leveraged for further attacks or unauthorized access. While the number of affected installations is unknown, any instance of changedetection.io version 0.54.9 or earlier that monitors attacker-controlled XML/RSS feeds using XPath filters is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade changedetection.io to a version beyond 0.54.9 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eApply the remediation steps suggested by the original report: Harden XML parser construction with \u003ccode\u003eresolve_entities=False\u003c/code\u003e, \u003ccode\u003eload_dtd=False\u003c/code\u003e, and \u003ccode\u003eno_network=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Changedetection.io XXE Vulnerability Attempt\u003c/code\u003e to detect potential XXE attacks against changedetection.io instances by monitoring for suspicious XML parsing events.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to activate the rule above (logsource: category: webserver, product: linux).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-changedetectionio-xxe/","summary":"A vulnerability in changedetection.io versions 0.54.9 and earlier allows a remote attacker to perform XML External Entity (XXE) attacks, potentially exposing sensitive local files.","title":"changedetection.io XXE Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-changedetectionio-xxe/"}],"language":"en","title":"CraftedSignal Threat Feed — Changedetection.io","version":"https://jsonfeed.org/version/1.1"}