CVE-2026-35000 HIGH

CVE-2026-35000: ChangeDetection.io < 0.54.7 SafeXPath3Parser Bypass Arbitrary File Read

Vendor Dgtlmoon
Product ChangeDetection.io
Weakness CWE-184
Published April 1, 2026
Last update April 1, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated