CVE-2026-2216
📋 TL;DR
This path traversal vulnerability in rachelos WeRSS we-mp-rss allows remote attackers to read arbitrary files on the server by manipulating the filename parameter in the download_export_file function. The vulnerability affects all installations of WeRSS we-mp-rss up to version 1.4.8 that expose the vulnerable API endpoint.
💻 Affected Systems
- rachelos WeRSS we-mp-rss
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files like /etc/passwd, configuration files, or application secrets, potentially leading to credential theft, privilege escalation, or further system compromise.
Likely Case
Attackers will read application configuration files, database credentials, or other sensitive data stored in predictable locations, enabling further attacks against the system.
If Mitigated
With proper file permissions and web server configuration, impact is limited to files readable by the web server process, though sensitive application data may still be exposed.
🎯 Exploit Status
The exploit has been published and requires minimal technical skill to execute. Attackers can craft simple HTTP requests with path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Monitor the official WeRSS repository for security updates. 2. Check if version 1.4.9 or later addresses this vulnerability. 3. Apply the update following standard software update procedures.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allBlock requests containing path traversal sequences like '../', '..\', or encoded equivalents in filename parameters.
API Endpoint Restriction
linuxRestrict access to the vulnerable /apis/tools.py endpoint using web server configuration or network controls.
# Apache example
<Location /apis/tools.py>
Require all denied
</Location>
# Nginx example
location /apis/tools.py {
deny all;
}
🧯 If You Can't Patch
- Implement strict input validation to reject any filename parameter containing path traversal sequences.
- Configure the web server to run with minimal file system permissions, limiting what files can be accessed.
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to the vulnerable endpoint with a filename parameter containing path traversal sequences (e.g., filename=../../../etc/passwd) and checking if sensitive files are returned.Check Version:
Check the WeRSS version in the application interface or configuration files. For command line: grep -r 'version' /path/to/werss/installation/Verify Fix Applied:
Verify that path traversal attempts are blocked or return error responses, and that only legitimate export files can be downloaded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /apis/tools.py with filename parameters containing '../', '..\', or encoded equivalents
- Unusual file access patterns from web server process
Network Indicators:
- HTTP requests with path traversal sequences in parameters
- Unexpected file downloads from the WeRSS application
SIEM Query:
source="web_server_logs" AND (uri_path="/apis/tools.py" AND (param_filename CONTAINS "../" OR param_filename CONTAINS "..\\"))