CVE-2026-41895— changedetection.io: XXE vulnerability in the changedetection.io project
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41895
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
changedetection.io: XXE vulnerability in the changedetection.io project
Source: NVD (National Vulnerability Database)
Vulnerability Description
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Vulnerability Title
changedetection.io 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
changedetection.io是dgtlmoon个人开发者的一个网站变更检测、监控和通知应用程序。 changedetection.io 0.54.9及之前版本存在代码问题漏洞,该漏洞源于xpath_filter函数未禁用外部实体解析,可能导致解析不受信任的XML字节。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| dgtlmoon | changedetection.io | <= 0.54.9 | - |
II. Public POCs for CVE-2026-41895
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41895
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: changedetection.io
- CVE-2026-43891
changedetection.io: Arbitrary Local File Read via crafted ba - CVE-2026-35490
changedetection.io has an Authentication Bypass via Decorato - CVE-2026-35000
ChangeDetection.io < 0.54.7 SafeXPath3Parser Bypass Arbitrar - CVE-2026-33981
Changedetection.io Discloses Environment Variables via jq en - CVE-2026-29065
changedetection.io: Zip Slip vulnerability in the backup res
Same vendor: dgtlmoon
- CVE-2026-43891
changedetection.io: Arbitrary Local File Read via crafted ba - CVE-2026-35490
changedetection.io has an Authentication Bypass via Decorato - CVE-2026-35000
ChangeDetection.io < 0.54.7 SafeXPath3Parser Bypass Arbitrar - CVE-2026-33981
Changedetection.io Discloses Environment Variables via jq en - CVE-2026-29065
changedetection.io: Zip Slip vulnerability in the backup res
Same weakness: CWE-611
- CVE-2026-44445
ERPNext: XML External Entity (XEE) Reference Vulnerability i - CVE-2026-41936
Vvveb < 1.0.8.2 XML External Entity Injection via Import - CVE-2026-40682
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntr - CVE-2026-6501
ILM Informatique jOpenDocument 代码问题漏洞 - CVE-2025-14543
Improper Restriction of XML External Entity Reference vulner
V. Comments for CVE-2026-41895
No comments yet