Description

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.

INFO

Published Date :

2026-01-10T03:41:59.952Z

Last Modified :

2026-01-12T17:20:43.431Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22688 vulnerability.

Vendors Products
Tencent
  • Weknora
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22688.

URL Resource
https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb cve-icon cve-icon
https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact