Medium severity6.5NVD Advisory· Published Mar 27, 2026· Updated Apr 2, 2026
CVE-2026-33981
CVE-2026-33981
Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changedetection.ioPyPI | < 0.54.7 | 0.54.7 |
Affected products
2- cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*Range: <0.54.7
Patches
Vulnerability mechanics
References
5- github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557fnvdPatchWEB
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-58r7-4wr5-hfx8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33981ghsaADVISORY
- github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.