CVE-2026-3965

MEDIUM EXPLOITED LAB

Whyour Qinglong <=2.20.1 - Auth Bypass

Title source: llm

Description

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

References (9)

[Permissions Required, VDB Entry] https://vuldb.com/?id.350394

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.350394

[Permissions Required, VDB Entry] https://vuldb.com/?submit.768861

[Issue Tracking] https://github.com/A7cc/cve/issues/6

[Issue Tracking] https://github.com/whyour/qinglong/pull/2941

[Issue Tracking] https://github.com/A7cc/cve/issues/6#issue-3999235307

[Patch] https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719

[Release Notes] https://github.com/whyour/qinglong/releases/tag/v2.20.2

[Various Sources] https://github.com/whyour/qinglong/

View Writeup ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0010

EPSS Percentile 27.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull whyour/qinglong:latest

https://github.com/whyour/qinglong

View in Library

Details

VulnCheck KEV 2026-04-06

CWE

CWE-693

Status published

Products (4)

whyour/qinglong 0 - 2.20.2npm

whyour/qinglong 2.20.0

whyour/qinglong 2.20.1

whyour/qinglong 2.20.2

Published Mar 12, 2026

Tracked Since Mar 12, 2026