CNNVD-202601-1740 Information

CNNVD ID

CNNVD-202601-1740

Related CVE

CVE-2026-22688

• CNNVD Published: 2026-01-10

Description (Chinese)

WeKnora是Tencent开源的一个基于LLM的框架，具有使用RAG范式进行深度文档理解、语义检索和上下文感知答案等功能。 WeKnora 0.2.5之前版本存在命令注入漏洞，该漏洞源于对stdio_config.command/args的输入验证不足，可能导致命令注入。

Description (English)

WeKnora is a Tencent open source LLM-based framework that uses the RAG paradigm for in-depth documentation understanding, semantic retrieval, and context perception answers. The pre-WeKnora 0.2.5 version has a command-injecting loophole, which results from inadequate input validation of stdio config.command/args, which may lead to an order-injection.

Hazard Level

Low

Vulnerability Type

命令注入

Affected Vendor

腾讯

Published

2026-01-10

Last Modified

2026-02-24

References

https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc

Patch

https://github.com/Tencent/WeKnora/releases