Home

Description

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-11 | Updated 2026-03-12 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Protection Mechanism Failure

Product status

2.20.0
affected

2.20.1
affected

2.20.2
unaffected

Timeline

2026-03-11:Advisory disclosed
2026-03-11:VulDB entry created
2026-03-11:VulDB entry last update

Credits

a7cc (VulDB User) reporter

References

vuldb.com/?id.350394 (VDB-350394 | whyour qinglong API express.ts protection mechanism) vdb-entry technical-description

vuldb.com/?ctiid.350394 (VDB-350394 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.768861 (Submit #768861 | qinglong v2.20.1 Remote Command Execution) third-party-advisory

github.com/A7cc/cve/issues/6 issue-tracking

github.com/whyour/qinglong/pull/2941 issue-tracking patch

github.com/A7cc/cve/issues/6 exploit issue-tracking

github.com/...ommit/6bec52dca158481258315ba0fc2f11206df7b719 patch

github.com/whyour/qinglong/releases/tag/v2.20.2 patch

github.com/whyour/qinglong/ product

cve.org (CVE-2026-3965)

nvd.nist.gov (CVE-2026-3965)

Download JSON