Attack Chain

1. Attacker identifies a changedetection.io instance monitoring an XML/RSS feed.
2. Attacker crafts a malicious XML/RSS response containing an external entity declaration referencing a local file (e.g., /etc/passwd).
3. Attacker ensures the watched URL returns the malicious XML/RSS content.
4. The changedetection.io instance fetches the XML/RSS content from the monitored URL.
5. The application’s stream detection identifies the content as XML/RSS.
6. The XPath include filter is triggered, invoking the vulnerable xpath_filter() function.
7. etree.fromstring() parses the untrusted XML bytes, resolving the external entity and reading the referenced local file.
8. The contents of the local file are exposed in extracted watch output, diff history, or downstream notification channels.

Impact

Successful exploitation of this XXE vulnerability (CVE-2026-41895) can lead to the disclosure of sensitive local files on the server running changedetection.io. The impact includes potential exposure of configuration files, credentials, or other sensitive data, which could be leveraged for further attacks or unauthorized access. While the number of affected installations is unknown, any instance of changedetection.io version 0.54.9 or earlier that monitors attacker-controlled XML/RSS feeds using XPath filters is potentially vulnerable.

Recommendation

• Upgrade changedetection.io to a version beyond 0.54.9 to remediate the vulnerability.
• Apply the remediation steps suggested by the original report: Harden XML parser construction with resolve_entities=False, load_dtd=False, and no_network=True.
• Implement the Sigma rule Detect Changedetection.io XXE Vulnerability Attempt to detect potential XXE attacks against changedetection.io instances by monitoring for suspicious XML parsing events.
• Enable webserver logging to activate the rule above (logsource: category: webserver, product: linux).