CVE-2026-29065
Published: 06 March 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-29065 is a Zip Slip vulnerability (CWE-22) affecting changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.4. The flaw exists in the backup restore functionality, where path traversal in uploaded ZIP archives enables arbitrary file overwrites. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
A remote unauthenticated attacker can exploit this vulnerability by uploading a malicious ZIP archive during the backup restore process. Successful exploitation allows arbitrary file overwrites on the server, potentially leading to full compromise if critical files like configuration or executables are targeted.
The issue has been addressed in version 0.54.4. Mitigation involves upgrading to this patched release, as detailed in the GitHub security advisory (GHSA-25g8-2mcf-fcx9), the specific commit (1d7d812eb0faab37042246e2fbce04f29bb1b3aa), and the release notes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a path traversal (Zip Slip) in a public-facing web application's backup restore feature, allowing remote unauthenticated arbitrary file overwrites, directly mapping to exploitation of public-facing applications.