Protection Bypass Vulnerability in ChangeDetection.io by dgtlmoon
CVE-2026-35000

7.1HIGH

Key Information:

Vendor: Dgtlmoon
Status: Changedetection.io
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-35000?

ChangeDetection.io versions before 0.54.7 have a protection bypass vulnerability in the SafeXPath3Parser component. This flaw permits attackers to exploit unblocked XPath 3.0/3.1 functions, such as json-doc(), to read arbitrary files from the local filesystem. The vulnerability arises from an incomplete blocklist of risky XPath functions, which can potentially expose sensitive information stored locally.

Affected Version(s)

ChangeDetection.io 0 < 0.54.7

ChangeDetection.io dadc804567a51f803cd6715f7885c11a247915f6

References

https://github.com/dgtlmoon/changedetection.io/releases/t...

release-notes

https://github.com/dgtlmoon/changedetection.io/commit/dad...

patch

https://www.vulncheck.com/advisories/changedetection-io-s...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Neo by ProjectDiscovery (https://neo.projectdiscovery.io)

CVE-2026-35000 Data

JSON

Dgtlmoon

What is CVE-2026-35000?

Affected Version(s)

References

CVSS V4

Timeline

Credit