Search for packages
| purl | pkg:pypi/changedetection-io@0.54.10 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6154-3xru-6bdz
Aliases: CVE-2026-43891 PYSEC-2026-30 |
changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-a7m7-dqk3-muf7 | changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...). |
CVE-2026-41895
GHSA-v7cp-2cx9-x793 PYSEC-2026-29 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:25:14.446398+00:00 | Pypa Importer | Affected by | VCID-6154-3xru-6bdz | https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2026-30.yaml | 38.6.0 |
| 2026-06-02T04:25:13.640165+00:00 | Pypa Importer | Fixing | VCID-a7m7-dqk3-muf7 | https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2026-29.yaml | 38.6.0 |