Vulnerability Details CVE-2026-30858
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the web_fetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including private IP addresses (e.g., 127.0.0.1, 192.168.x.x). By crafting a malicious domain that resolves to a public IP during validation and subsequently resolves to a private IP during execution, an attacker can access sensitive local services and potentially exfiltrate data. This issue has been patched in version 0.3.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.4%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-30858
-
cpe:2.3:a:tencent:weknora:0.1.0
-
cpe:2.3:a:tencent:weknora:0.1.1
-
cpe:2.3:a:tencent:weknora:0.1.2
-
cpe:2.3:a:tencent:weknora:0.1.3
-
cpe:2.3:a:tencent:weknora:0.1.4
-
cpe:2.3:a:tencent:weknora:0.1.5
-
cpe:2.3:a:tencent:weknora:0.1.6
-
cpe:2.3:a:tencent:weknora:0.2.0
-
cpe:2.3:a:tencent:weknora:0.2.1
-
cpe:2.3:a:tencent:weknora:0.2.2
-
cpe:2.3:a:tencent:weknora:0.2.3
-
cpe:2.3:a:tencent:weknora:0.2.4
-
cpe:2.3:a:tencent:weknora:0.2.5
-
cpe:2.3:a:tencent:weknora:0.2.6
-
cpe:2.3:a:tencent:weknora:0.2.7
-
cpe:2.3:a:tencent:weknora:0.2.8
-
cpe:2.3:a:tencent:weknora:0.2.9