{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22688", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-08T19:23:09.854Z", "datePublished": "2026-01-10T03:41:59.952Z", "dateUpdated": "2026-01-12T17:20:43.431Z"}, "containers": {"cna": {"title": "WeKnora has Command\u00a0Injection\u00a0in\u00a0MCP stdio\u00a0test", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"}, {"name": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb"}], "affected": [{"vendor": "Tencent", "product": "WeKnora", "versions": [{"version": "< 0.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T03:41:59.952Z"}, "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5."}], "source": {"advisory": "GHSA-78h3-63c4-5fqc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T17:20:40.444491Z", "id": "CVE-2026-22688", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:20:43.431Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22688", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T17:20:40.444491Z"}}}], "references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:20:29.771Z"}}], "cna": {"title": "WeKnora has Command\u00a0Injection\u00a0in\u00a0MCP stdio\u00a0test", "source": {"advisory": "GHSA-78h3-63c4-5fqc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Tencent", "product": "WeKnora", "versions": [{"status": "affected", "version": "< 0.2.5"}]}], "references": [{"url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc", "name": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb", "name": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T03:41:59.952Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22688", "state": "PUBLISHED", "dateUpdated": "2026-01-12T17:20:43.431Z", "dateReserved": "2026-01-08T19:23:09.854Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T03:41:59.952Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*", "matchCriteriaId": "286261BD-8F02-4CF6-815C-EFC31708684D", "versionEndExcluding": "0.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5."}], "id": "CVE-2026-22688", "lastModified": "2026-01-22T14:39:17.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-10T04:16:01.837", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:16:05.853275+00:00", "value": {"mitigation_remediation": ["Update WeKnora to version 0.2.5 or later to apply the official patch", "Enforce strict authentication controls so that only trusted administrators can modify MCP stdio parameters", "Review and harden configuration files by removing or disabling any custom stdio configurations that could allow arbitrary command execution"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Deployments of Tencent\u2019s WeKnora framework before version 0.2.5 are affected. This includes all installations of Tencent\u2019s WeKnora before 0.2.5.", "description_and_impact": "WeKnora, the LLM\u2011powered document understanding framework, contains a command injection flaw in its MCP stdio configuration. The vulnerability permits an authenticated user to supply arbitrary values for stdio_config.command or args, which the server executes as system subprocesses. This enables an attacker to run any desired code with the privileges of the WeKnora service, granting complete control over the host. The flaw is a classic command injection (CWE\u201177) and is quantified with a CVSS score of 10, indicating a deterministic critical impact.", "risk_and_exploitability": "The EPSS score is below 1%, indicating a low probability of exploitation at this time, but the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with rights to modify MCP stdio settings; once authenticated, the attacker can execute arbitrary commands, making the risk for confidentiality, integrity, and availability of the entire service instance extremely high. The severity remains at the maximum level due to the CVSS score of 10, and the official fix has been released in version 0.2.5."}}}}, "created": "2026-01-12T14:36:41.877534+00:00", "updated": "2026-04-18T19:30:08.951299+00:00", "vendors": ["tencent", "tencent$PRODUCT$weknora"]}