CVE-2026-2250

Published: Feb 11, 2026Modified: Feb 12, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd (Secondary)

Description

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.

Related CWEs

CWE-215

Insertion of Sensitive Information Into Debugging Code

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://cydome.io/vulnerability-advisory-cve-2026-2250-unauthenticated-data-exfilteration-and-information-disclosure-in-metis-wic-wireless-intelligent-collector

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd

https://www.metis.tech/

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd

Timeline

No history available yet.