Home / Vulnerability Intelligence / CVE-2026-30860

CVE-2026-30860 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 9, 2026

WeKnora - SQL Injection

Published: March 7, 2026Updated: March 9, 2026PoC AvailableRemote Exploitable

Overview

WeKnora < 0.2.12 contains a SQL injection caused by insufficient validation of child nodes in PostgreSQL array and row expressions, letting unauthenticated attackers execute arbitrary code on the database server with database user privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 16.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary code on the database server with database user privileges, risking full database compromise.

Mitigation

Upgrade to version 0.2.12 or later.

References

https://github.com/Tencent/WeKnora/security/advisories/GHSA-8w32-6mrw-q5wv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 8, 2026

🔴 CVE-2026-30860 - Critical (9.9) WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE) vulnerability exists in the application's database query functionality. The validation syst... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30860/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30860
Severity: Critical
CVSS Score: 9.9
Type: sql_injection
Status: confirmed
EPSS: 16.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

16.0%Probability of exploitation in the next 30 days