cbcvebase.
CVE-2026-30860
published 2026-03-07

CVE-2026-30860: WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE)…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.2th percentile
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE) vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within PostgreSQL array expressions and row expressions, allowing attackers to bypass SQL injection protections. By smuggling dangerous PostgreSQL functions inside these expressions and chaining them with large object operations and library loading capabilities, an unauthenticated attacker can achieve arbitrary code execution on the database server with database user privileges. This issue has been patched in version 0.2.12.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comtencent_weknora>= 0 < 0.2.120.2.12
tencentweknora< 0.2.120.2.12

Detection & IOCsextracted from sources · hover to see the quote

  • Detect bypass of SQL injection protections via PostgreSQL array expressions or row expressions containing smuggled dangerous functions (e.g., large object operations or library loading calls)
  • Monitor for unauthenticated database query requests to WeKnora instances that include PostgreSQL array or row expression syntax combined with large object (lo_*) or library loading (pg_catalog.load_file / LOAD) function calls
  • ·The vulnerability is exploitable by unauthenticated attackers, meaning no credentials are required — network-level access controls to the WeKnora service are a critical compensating control.
  • ·Affected Go packages are github.com/tencent/weknora and github.com/Tencent/WeKnora; both package identifiers should be checked in dependency inventories.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.