CVE-2026-29065 in changedetection.io
Summary
by MITRE • 03/06/2026
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-29065 affects changedetection.io, a popular open source web page change detection tool designed to monitor website content changes and notify users of modifications. This tool operates by periodically checking web pages and comparing their content to detect alterations, making it valuable for monitoring news sites, price changes, or any dynamic content. The vulnerability resides within the backup restore functionality of the application, specifically in how it processes uploaded ZIP archives. Prior to version 0.54.4, the application failed to properly validate file paths contained within ZIP archives during the extraction process, creating a path traversal vulnerability that could be exploited by malicious actors to overwrite arbitrary files on the target system.
The technical flaw represents a classic Zip Slip vulnerability classified under CWE-22, which occurs when applications extract files from untrusted ZIP archives without properly sanitizing the file paths contained within those archives. When a user uploads a ZIP file containing maliciously crafted file paths such as ../../etc/passwd or ../../../windows/system32/drivers/etc/hosts, the application extracts these files to their specified locations rather than to a designated safe directory. This vulnerability stems from inadequate input validation and path sanitization within the archive extraction logic, allowing attackers to traverse the file system hierarchy and write files to locations outside the intended extraction directory. The flaw is particularly dangerous because it can be exploited through the backup restore functionality, which typically runs with elevated privileges necessary to modify system files.
The operational impact of this vulnerability extends beyond simple file overwrites to potentially enable complete system compromise. An attacker who successfully exploits this vulnerability could overwrite critical system files, configuration files, or even executable components, leading to privilege escalation, persistent backdoors, or complete system takeover. The vulnerability affects the application's backup restore functionality, which is typically used by administrators to recover system state or migrate configurations. If an attacker can upload a malicious ZIP archive through the backup restore feature, they can potentially overwrite files in the application's installation directory, system directories, or even user-specific files, depending on the permissions of the running process. This creates a significant risk for environments where the application runs with elevated privileges or where backup files might be processed without proper sandboxing.
Mitigation strategies for CVE-2026-29065 focus primarily on updating to the patched version 0.54.4, which implements proper path validation and sanitization during ZIP archive extraction. Organizations should also implement additional security controls including restricting upload capabilities to trusted users only, implementing strict file type validation for backup archives, and ensuring that the application runs with minimal necessary privileges. The fix typically involves implementing proper path validation that checks for directory traversal sequences such as ../ or ..\ and rejects archives containing such patterns. Security practitioners should also consider implementing network segmentation, monitoring for unusual file system activity, and conducting regular security assessments of the application's backup and restore functionality. This vulnerability aligns with ATT&CK technique T1059.007 for executing malicious code through file system manipulation and T1566 for initial access through malicious file uploads, making it a critical vulnerability for organizations that rely on web page monitoring tools in production environments.