CVE-2026-25527 MEDIUM

CVE-2026-25527: changedetection.io vulnerable to unauthenticated static path traversal

Vendor Dgtlmoon
Product changedetection.io
Weakness CWE-22 · Path traversal
Published February 19, 2026
Last update February 19, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated