Weaver E-cology 10.0 contains a CVSS 9.8 unauthenticated OS command injection vulnerability in an exposed debug endpoint, with active exploitation confirmed by the Shadowserver Foundation beginning 2026-03-31 and CISA KEV listing confirmed. The vulnerable endpoint requires no authentication and accepts attacker-controlled parameters that are passed directly to command-execution internals. Organizations should immediately block access to the affected debug endpoint path at the perimeter and apply patch version 20260312 or later.