CVE-2026-35000
🔶 mediumSummary
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. Attackers can exploit the incomplete blocklist of dangerous XPath functions to access sensitive data from the local filesystem.
CVSS Score
6.5
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-04-01
First Seen: 2026-04-05
📊 Relative Risk Intelligence
This CVE is Lower Risk - more severe than 47.8% of all 321,566 vulnerabilities in our database.
#167,705
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 1, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Neo by ProjectDiscovery (https://neo.projectdiscovery.io)
SSVC data provided by
CISA
Last Modified
2026-04-21
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)