CVE-2026-3965
published 2026-03-12CVE-2026-3965: A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the…
PriorityP180medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.44%
35.2th percentile
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| whyour | qinglong | — | — |
| whyour | qinglong | — | — |
| whyour | qinglong | >= 0 < 2.20.2 | 2.20.2 |
Detection & IOCsextracted from sources · hover to see the quote
- ·The initial patch (PR #2924) focused only on blocking command injection patterns and was assessed as insufficient; the effective authentication bypass fix came in PR #2941. Defenders should ensure they are running version 2.20.2 with the PR #2941 fix applied. ↗
- ·CVE-2026-3965 is chained with CVE-2026-4047 to achieve full unauthenticated RCE; patching only one may not fully remediate the attack surface. ↗
- ·Exploitation was confirmed even on Qinglong instances deployed behind Nginx and SSL, meaning network-layer controls alone are insufficient to prevent exploitation. ↗
- ·Active exploitation began February 7, weeks before public disclosure at end of February, indicating a significant window of pre-patch exposure for internet-facing Qinglong panels. ↗
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
osv·2026-03-12
CVE-2026-3965 [LOW] @whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
GHSA
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
ghsa·2026-03-12
CVE-2026-3965 [LOW] CWE-693 @whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
VulnCheck
Protection Mechanism Failure
vulncheck·2026·CVSS 5.3
CVE-2026-3965 [MEDIUM] Protection Mechanism Failure
Protection Mechanism Failure
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Affected: whyour qinglong
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the
No detection rules found.
No public exploits indexed.
Hackernews
ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
blogs_hackernews·2026-04-30
CVE-2019-0708 ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online.
Security is always a moving target. Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job
Bleepingcomputer
Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining
blogs_bleepingcomputer·2026-04-29·CVSS 5.3
CVE-2026-3965 [MEDIUM] Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining
## Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining
## Bill Toulas
Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.
Exploitation started in early February, before the security issues were disclosed publicly at the end of the month, according to researchers at cloud-native application security company Snyk.
Qinglong is a self-hosted open-source time management platform popular among Chinese developers. It has been forked more than 3,200 times and has over 19,000 stars on GitHub .
The two security problems impact Qinglong versions 2.20.1 and older and can be chained to achieve remote code execution:
CVE-2026-3965: A misconfigured rewrite rule maps ‘/open/
Wiz
CVE-2026-3965 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-3965 [MEDIUM] CVE-2026-3965 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3965 :
JavaScript vulnerability analysis and mitigation
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Source : NVD
## 5.3
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 5.3
https://github.com/A7cc/cve/issues/6https://github.com/A7cc/cve/issues/6#issue-3999235307https://github.com/whyour/qinglong/https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719https://github.com/whyour/qinglong/pull/2941https://github.com/whyour/qinglong/releases/tag/v2.20.2https://vuldb.com/?ctiid.350394https://vuldb.com/?id.350394https://vuldb.com/?submit.768861
2026-03-12
Published
Exploited in the wild