Weaver E-cology CVE-2026-22679 Actively Exploited — CVSS 9.8 Unauthenticated RCE via Debug API

CVE-2026-22679 (CVSS 9.8) is an unauthenticated remote code execution vulnerability in Weaver (Fanwei) E-cology, a widely deployed enterprise office automation and collaboration platform. The flaw resides in the /papi/esearch/data/devops/ debug API endpoint and affects E-cology 10.0 versions prior to the 20260312 patch release. Active exploitation has been confirmed in the wild. Organizations running E-cology should apply the March 12, 2026 patch immediately, block external access to the debug API endpoint as a compensating control, and review logs for unauthorized requests to the affected path. This platform is commonly deployed inside corporate intranets, but any edge-facing instances are at high risk.