CVE-2026-22687
WeKnora vulnerable to SQL Injection
CVSS Score
5.6
EPSS Score
0.0%
EPSS Percentile
0th
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.
| CWE | CWE-89 |
| Vendor | tencent |
| Product | weknora |
| Published | Jan 10, 2026 |
| Last Updated | Mar 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for tencent weknora
Be the first to know when new medium vulnerabilities affecting tencent weknora are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
Tencent / WeKnora
< 0.2.5