CVE-2026-41895

HIGH

7.5CVSS v3

—CVSS v2

0.05% EPSS (exploit probability)

CWE-611CWE

Description

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected routers (1)

Vendor	Model	Matched via	Affected versions	Fixed in	Patch Status
Ubiquiti	Ubiquiti EdgeRouter X	`—`	—	—	Unpatched

External references

NIST NVD
MITRE CVE