CVE-2026-22679
CVE-2026-22679
9.3
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Modified
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
References
disclosure@vulncheck.com
https://h4cker.zip/post/d5d211/disclosure@vulncheck.com
https://ti.qianxin.com/vulnerability/notice-detail/1760disclosure@vulncheck.com
https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpointdisclosure@vulncheck.com
https://www.weaver.com.cn/cs/securityDownload.html#134c704f-9b21-4f2e-91b3-4a467353bcc0
https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/