CVE-2026-22679— Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22679
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Weaver e-cology 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Weaver e-cology是中国泛微(Weaver)公司的一套协同管理应用平台。 Weaver e-cology 10.0 20260312之前版本存在访问控制错误漏洞,该漏洞源于未经验证的远程代码执行,可能导致执行任意命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Weaver Network Co., Ltd. | E-cology | 0 ~ 20260312 | - |
II. Public POCs for CVE-2026-22679
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22679
请登录查看更多情报信息。
- 奇安信威胁情报中心third-party-advisory
- 泛微E-cology10 xmReport、dubboApi、saveSignAddrsInfo 远程代码执行漏洞 Poc | Tajang·Hack Your Hearttechnical-descriptionexploit
- 泛微产品线联合下载中心release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2026-22679
IV. Related Vulnerabilities
Same product: E-cology
- CVE-2022-50992
Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via - CVE-2025-34038
Weaver E-cology SQL Injection - CVE-2024-7704
Weaver e-cology Source Code ecology_dev.zip information disc - CVE-2023-3793
Weaver e-cology HTTP POST Request filelFileDownloadForOutDoc - CVE-2023-2806
Weaver e-cology API RequestInfoByXml xml external entity ref
Same weakness: CWE-306
- CVE-2021-47940
WordPress Download From Files 1.48 Arbitrary File Upload - CVE-2021-47936
OpenCATS 0.9.4 Remote Code Execution via Resume Upload - CVE-2021-47933
WordPress MStore API 2.0.6 Arbitrary File Upload - CVE-2026-8185
UGREEN CM933 Administrative missing authentication - CVE-2026-42302
FastGPT: Unauthenticated Remote Code Execution (RCE) via cod
V. Comments for CVE-2026-22679
No comments yet