CVE-2026-2216 identifies a path traversal vulnerability in the rachelos WeRSS we-mp-rss software, specifically in versions 1.4.0 through 1.4.8. The vulnerability resides in the download_export_file function located in apis/tools.py, where the filename parameter is insufficiently sanitized. An attacker can remotely manipulate this parameter to traverse directories and access arbitrary files on the server filesystem. This can lead to unauthorized disclosure of sensitive information, such as configuration files, credentials, or other critical data stored on the server. The vulnerability does not require user interaction and can be exploited without authentication, although it requires low privileges (PR:L) on the system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. While no public exploits are currently reported in the wild, the existence of a published exploit increases the risk of future attacks. The vulnerability affects all versions up to 1.4.8, and no official patches have been linked yet, requiring organizations to implement interim mitigations.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive files on servers running the vulnerable WeRSS we-mp-rss versions. This can result in leakage of confidential data, including internal configurations, user data, or credentials, potentially facilitating further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and reputational damage if exploited. The remote and unauthenticated nature of the vulnerability increases the attack surface, especially for publicly accessible services. Although the impact on integrity and availability is minimal, the confidentiality breach alone can have significant operational and legal consequences under GDPR and other European data protection laws.

1. Monitor for official patches or updates from rachelos and apply them promptly once released. 2. Until patches are available, restrict network access to the download_export_file API endpoint using firewalls or network segmentation to limit exposure. 3. Implement strict input validation and sanitization on the filename parameter to prevent directory traversal sequences (e.g., ../). 4. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this endpoint. 5. Conduct regular audits of server file access logs to detect suspicious access patterns. 6. Limit the privileges of the application process to the minimum necessary filesystem access to reduce the impact of potential exploitation. 7. Educate development and operations teams about secure coding practices to prevent similar vulnerabilities in future releases.