CVE-2026-30247

MEDIUM 5.9

WeKnora: SSRF via Redirection

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it fails to validate redirect targets. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked. This issue has been patched in version 0.2.12.

CWE	CWE-918
Vendor	tencent
Product	weknora
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for tencent weknora

Be the first to know when new medium vulnerabilities affecting tencent weknora are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Tencent / WeKnora

< 0.2.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Tencent/WeKnora/security/advisories/GHSA-595m-wc8g-6qgc