CVE Catalog

CVE-2026-22679

Critical
Published: Translated: NVD NIST

Summary

Weaver (Fanwei) E-cology versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, allowing attackers to execute arbitrary commands.

Risk Assessment

This vulnerability allows attackers to remotely take control of the system, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to version 20260312 or later to mitigate this vulnerability and restrict access to the debugging endpoint.

Original NVD description (English source)

Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS