HIGHCVE-2026-2250Published Modified CNA MHV
CVE-2026-2250: Unauthenticated Data Export and Source Code Disclosure via /dbviewer/ in METIS WIC
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- oscore 2.1.235-r19
- Affected Products
- 1
Fix available
oscore 2.1.235-r19
Affected packages
- METIS Cyberspace Technology SA / METIS WICoscore 2.1.234-r18Fixed in oscore 2.1.235-r19
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences