Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
changedetection.io Tool Allows Unauthorized Access to Source Code
CVE-2026-25527
Summary
Versions of the changedetection.io tool prior to 0.53.2 allow attackers to access sensitive application source files, potentially exposing proprietary code. This is a security risk because it could allow unauthorized individuals to view and potentially exploit the code. To protect your application, update to version 0.53.2 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| webtechnologies | changedetection | <= 0.53.2 | – |
Original title
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory(...
Original description
changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static/<group>/<filename>` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue.
nvd CVSS3.1
5.3
Vulnerability type
CWE-22
Path Traversal
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026