PatchSiren

dgtlmoon CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH dgtlmoon CVE published 2026-04-01

CVE-2026-35000

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation. This vulnerability allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc() and similar file-access primitives. The vulnerability exists due to an incomplete blocklist of dangerous XPath functions, enabling attackers to access sen [truncated]