High severity7.5GHSA Advisory· Published May 12, 2026· Updated May 13, 2026
CVE-2026-41895
CVE-2026-41895
Description
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changedetection.ioPyPI | <= 0.54.9 | — |
Affected products
3- Range: <= 0.54.9
- cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*Range: <=0.54.9
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v7cp-2cx9-x793ghsaADVISORY
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41895ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-29.yamlghsaWEB
News mentions
0No linked articles in our index yet.