Exploitation Summary
CVE-2026-3965 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
References (9)
Core 9
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.350394
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.350394
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.768861
Issue Tracking issue-tracking
https://github.com/A7cc/cve/issues/6
Issue Tracking issue-tracking
patch
https://github.com/whyour/qinglong/pull/2941
Issue Tracking exploit
issue-tracking
https://github.com/A7cc/cve/issues/6#issue-3999235307
Release Notes patch
https://github.com/whyour/qinglong/releases/tag/v2.20.2
Scores
CVSS v3
6.3
EPSS
0.0044
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2026-04-06
CWE
CWE-693
Status
published
Products (4)
whyour/qinglong
0 - 2.20.2npm
whyour/qinglong
2.20.0
whyour/qinglong
2.20.1
whyour/qinglong
2.20.2
Published
Mar 12, 2026
Tracked Since
Mar 12, 2026