wizardchen

2 exploits Active since Jan 2026
CVE-2026-22687 WRITEUP MEDIUM WRITEUP
WeKnora < 0.2.5 - SQL Injection via Prompt-Based Bypass
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.
CVSS 5.6
CVE-2026-22688 WRITEUP CRITICAL WRITEUP
WeKnora < 0.2.5 - Authenticated Command Injection via stdio_config.command/args
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
CVSS 9.9