Advisories for Pypi/Changedetection-Io package

This is an arbitrary local file disclosure vulnerability reachable through malicious backup restore content. Who is impacted: Deployments where the application process has read access to sensitive local system files. Docker or host-mounted environments where secrets, config files, or operational artifacts are explicitly readable by the service. What can be exposed: Arbitrary System Files: Core operating system files (e.g., /etc/passwd, /proc/self/environ), system-level configurations, and host metrics. Application Data: Internal records …

Sensitive local files can be exposed into extracted watch output, diff history, and downstream notification channels.

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy …