← Back

CVE-2025-11046

nvd nist
Published: Sep 26, 2025Modified: Apr 29, 2026

JSON object

Loading...
5.5
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: CNA (Secondary)

Description

A security flaw has been discovered in Tencent WeKnora 0.1.0. This impacts the function testEmbeddingModel of the file /api/v1/initialization/embedding/test. The manipulation of the argument baseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. It is advisable to upgrade the affected component. The vendor responds: "We have confirmed that the issue mentioned in the report does not exist in the latest releases".

Affected (1)

Products: Tencent: Weknora
Tencent
1 product
Weknora
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Weknora
Version 0.1.0

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

Source: cna@vuldb.com
ExploitIssue Tracking
Source: cna@vuldb.com
Permissions RequiredVDB Entry
Source: cna@vuldb.com
Third Party AdvisoryVDB Entry
Source: cna@vuldb.com
ExploitThird Party AdvisoryVDB Entry
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitIssue Tracking
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.