rachelos WeRSS we-mp-rss Path Traversal Vulnerability in Export Download Function

Vulnerability

A path traversal vulnerability has been identified in rachelos WeRSS we-mp-rss versions through 1.4.8. The issue arises in the download_export_file function within apis/tools.py, where improper handling of the filename argument allows for manipulation that leads to unauthorized access to files outside the intended directory. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, enabling an attacker to access sensitive files outside the application's designated directory.

Added: Feb 9, 2026, 6:22 AM

Updated: Feb 9, 2026, 6:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

rachelos WeRSS we-mp-rss Path Traversal Vulnerability in Export Download Function

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating