CVE-2026-2250 PUBLISHED

Unauthenticated Data Export and Source Code Disclosure via /dbviewer/ in METIS WIC

Assigner: MHV
Reserved: 09.02.2026 Published: 11.02.2026 Updated: 11.02.2026

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	METIS Cyberspace Technology SA
Product	METIS WIC
Versions	Default: unaffected Version oscore 2.1.234-r18 is affected Version oscore 2.1.235-r19 is unaffected

Credits

Or Balog (Cydome Security) finder

References

https://www.metis.tech/

Problem Types

CWE-284 Improper Access Control CWE
CWE-215 Insertion of Sensitive Information Into Debugging Error Output CWE