Description
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function download_export_file of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

An attacker can manipulate the filename argument supplied to the download_export_file function in the tools.py module of the WeRSS we-mp-rss application. By providing a crafted value that contains directory traversal sequences, the function resolves to files outside its intended directory and returns their contents. This flaw allows arbitrary file read, potentially exposing sensitive configuration files, credentials, or confidential data. The vulnerability is classified as CWE-22 and is exploitable remotely via the exposed HTTP API.

Affected Systems

Versions of rachelos WeRSS we-mp-rss up to 1.4.8 are affected. The flaw resides in the download_export_file endpoint of api/tools.py. Systems running these versions, regardless of whether the application is exposed to the internet or an internal network, are at risk when the API is reachable. Updating to a patched version beyond 1.4.8 removes the vulnerable code path.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, but the path traversal flaw is remotely exploitable and an exploit has already been published. The EPSS score is below 1%, indicating a relatively low likelihood of widespread exploitation at the current time. However, because the flaw can drive reading of arbitrary files, an attacker can obtain highly sensitive data if the application runs with elevated permissions or accesses secure directories. The vulnerability is not listed in CISA's KEV catalog, so no known widespread exploitation has been reported yet.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch for rachelos WeRSS we-mp-rss to eliminate the vulnerable download_export_file code and ensure proper filename validation.
  • If a patch cannot be applied immediately, restrict access to the download_export_file endpoint by whitelisting trusted IP addresses or requiring authentication that limits usage to internal users.
  • Enforce strict file‐system permissions so that the application only has read access to its designated data directory, preventing it from reading other host files even if traversal succeeds.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Rachelos
Rachelos werss We-mp-rss
Vendors & Products Rachelos
Rachelos werss We-mp-rss

Mon, 09 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function download_export_file of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used.
Title rachelos WeRSS we-mp-rss tools.py download_export_file path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rachelos Werss We-mp-rss
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:56:58.204Z

Reserved: 2026-02-08T08:32:27.048Z

Link: CVE-2026-2216

cve-icon Vulnrichment

Updated: 2026-02-09T16:08:11.016Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T06:16:24.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses