CVE-2026-41895 HIGH

CVE-2026-41895: changedetection.io: XXE vulnerability in the changedetection.io project

Vendor Dgtlmoon
Product changedetection.io
Weakness CWE-611 · XXE
Published May 12, 2026
Last update May 18, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 18, 2026 Record updated