Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Details
CVSS v3
9.9
NVD published
2026-01-10 04:16:01
EPSS
0.4% probability · 60.5th percentile — 2026-04-19
Affected versions
cpe:2.3:a:tencent:weknora:*:*:*:*:*:*:*:*
Summary
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.