cbcvebase.
CVE-2026-3965
published 2026-03-12

CVE-2026-3965: A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the…

PriorityP180medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.44%
35.2th percentile
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

Affected

3 ranges
VendorProductVersion rangeFixed in
whyourqinglong
whyourqinglong
whyourqinglong>= 0 < 2.20.22.20.2

Detection & IOCsextracted from sources · hover to see the quote

pathback/loaders/express.ts
other6bec52dca158481258315ba0fc2f11206df7b719
  • ·The initial patch (PR #2924) focused only on blocking command injection patterns and was assessed as insufficient; the effective authentication bypass fix came in PR #2941. Defenders should ensure they are running version 2.20.2 with the PR #2941 fix applied.
  • ·CVE-2026-3965 is chained with CVE-2026-4047 to achieve full unauthenticated RCE; patching only one may not fully remediate the attack surface.
  • ·Exploitation was confirmed even on Qinglong instances deployed behind Nginx and SSL, meaning network-layer controls alone are insufficient to prevent exploitation.
  • ·Active exploitation began February 7, weeks before public disclosure at end of February, indicating a significant window of pre-patch exposure for internet-facing Qinglong panels.

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.