{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33981", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.210Z", "datePublished": "2026-03-27T22:01:13.719Z", "dateUpdated": "2026-03-30T18:36:23.805Z"}, "containers": {"cna": {"title": "Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8"}, {"name": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f"}, {"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7"}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"version": "< 0.54.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:01:13.719Z"}, "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue."}], "source": {"advisory": "GHSA-58r7-4wr5-hfx8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:36:19.303287Z", "id": "CVE-2026-33981", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:36:23.805Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33981", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:36:19.303287Z"}}}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:36:08.872Z"}}], "cna": {"title": "Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters", "source": {"advisory": "GHSA-58r7-4wr5-hfx8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"status": "affected", "version": "< 0.54.7"}]}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f", "name": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:01:13.719Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33981", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:36:23.805Z", "dateReserved": "2026-03-24T22:20:06.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:01:13.719Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue."}], "id": "CVE-2026-33981", "lastModified": "2026-03-30T19:16:26.517", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:22.793", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f"}, {"source": "security-advisories@github.com", "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.54.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "changedetection.io", "source": "cna", "vendor": "dgtlmoon"}, "product": "changedetection.io", "vendor": "dgtlmoon"}], "analysis": {"en": {"generated_at": "2026-03-28T06:11:27.736142+00:00", "value": {"mitigation_remediation": ["Upgrade changedetection.io to version 0.54.7 or newer.", "Enable or require authentication to limit access to the include filter functionality.", "Remove or unset any sensitive environment variables from the container environment to reduce information exposure."], "summary": {"action": "Patch", "impact": "Sensitive environment variable disclosure"}, "threat_synthesis": {"affected_systems": "This flaw affects the dgtlmoon changedetection.io project, specifically releases before version 0.54.7. Any deployment of an older release\u2014particularly those running with default unauthenticated access\u2014is vulnerable until the application is upgraded to 0.54.7 or later.", "description_and_impact": "The vulnerability allows a user to include a specially crafted filter that invokes the jq 'env' builtin, causing all process environment variables to be captured as part of a watch snapshot. This leaks secrets such as SALTED_PASS, HTTP_PROXY, PLAYWRIGHT_DRIVER_URL, and any other values supplied to the container, creating a direct information\u2011disclosure risk that can compromise credentials or internal configuration.", "risk_and_exploitability": "The severity rating is high with a score of 8.3. No exploit probability score is publicly available, and the vulnerability is not listed in the national catalog of known exploited vulnerabilities. An attacker who can authenticate to the web interface, or any visitor if authentication is disabled, can submit a malicious include filter expression that triggers the environment dump. Once executed, the attacker gains read access to all environment variables, potentially exposing passwords, tokens, and network settings. No additional privilege escalation is required."}}}}, "created": "2026-03-29T20:29:33.395429+00:00", "updated": "2026-03-30T06:59:59.041652+00:00", "vendors": ["dgtlmoon", "dgtlmoon$PRODUCT$changedetection.io"]}