GHSA-R55H-3RWJ-HCMG WeKnora has Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation

Summary A critical unauthenticated remote code execution RCE vulnerability exists in the MCP stdio configuration validation introduced in version 2.0.5. The application allows unrestricted user registration, meaning any attacker can create an account and exploit the command injection flaw. Despit...

PT-2026-23854

Name of the Vulnerable Software and Affected Versions WeKnora versions 0.2.5 through 0.2.9 WeKnora version 0.2.10 Description WeKnora, an LLM-powered framework for deep document understanding and semantic retrieval, contains an unauthenticated remote code execution RCE issue in the MCP stdio...

Command Injection

github.com/tencent/weknora is vulnerable to command injection. The vulnerability is due to improper validation of user-supplied stdioconfig.command and args in MCP stdio settings, which allows an authenticated attacker to inject arbitrary commands and cause the server to execute malicious...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the stdioconfig.command or stdioconfig.args parameters in MCP stdio settings. An attacker can execute arbitrary system commands by injecting malicious values into these parameters. Remediation Upgrade...