VDB
CVE-2026-22688
CVE-2026-22688
PUBLISHED
CVSS 10 CRITICAL
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
EPSS 0.45% · 64.1th percentile
Risk Scores
CVSS v3.1
10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.45%
64.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| tencent | weknora | 0 |
| Tencent | WeKnora | < 0.2.5 |
| github.com | Tencent/WeKnora | 0 |
Timeline
- Jan 9, 2026 CVE Published
- Jan 10, 2026 EPSS Score
- Jan 10, 2026 PoC Published
- Jan 10, 2026 PoC Published
- Jan 13, 2026 EPSS Score
- Jan 13, 2026 PoC Published
- Jan 16, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 22, 2026 CVE Updated
- Jan 22, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
References
- https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc url
- https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb url
- https://nvd.nist.gov/vuln/detail/CVE-2026-22688 advisory
- https://github.com/Tencent/WeKnora package
- https://pkg.go.dev/vuln/GO-2026-4292 url