CVE-2026-22679 (CVSS 9.8, CISA KEV confirmed, priority 0.85) affects Weaver E-cology 10.0 versions prior to build 20260312 via an exposed unauthenticated Dubbo debug interface that allows arbitrary OS command execution without credentials. Active exploitation was observed as of March 31, 2026, and the attack path is fully documented — attackers POST crafted requests to /papi/esearch/data/devops/dubboApi/debug/method with attacker-controlled parameters to invoke internal command-execution helpers. Organizations must patch to build 20260312 immediately and block the vulnerable endpoint at the WAF or perimeter firewall; internet-facing deployments that cannot be patched immediately should be taken offline.