CVE-2026-25527 PUBLISHED

changedetection.io vulnerable to unauthenticated static path traversal

Assigner: GitHub_M
Reserved: 02.02.2026 Published: 19.02.2026 Updated: 19.02.2026

changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the /static/<group>/<filename> route accepts group="..", which causes send_from_directory("static/..", filename) to execute. This moves the base directory up to /app/changedetectionio, enabling unauthenticated local file read of application source files (e.g., flask_app.py). Version 0.53.2 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	dgtlmoon
Product	changedetection.io
Versions	Version < 0.53.2 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE