CVE-2026-3965

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/A7cc/cve/issues/6
https://github.com/A7cc/cve/issues/6#issue-3999235307
https://github.com/whyour/qinglong/
https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719
https://github.com/whyour/qinglong/pull/2941
https://github.com/whyour/qinglong/releases/tag/v2.20.2
https://vuldb.com/?ctiid.350394
https://vuldb.com/?id.350394
https://vuldb.com/?submit.768861

Configurations

No configuration.

History

12 Mar 2026, 21:07

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de seguridad ha sido detectada en whyour qinglong hasta la versión 2.20.1. Afecta a una función desconocida del archivo back/loaders/express.ts del componente Interfaz API. La manipulación del argumento command conduce a un fallo del mecanismo de protección. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado públicamente y puede ser utilizado. La actualización a la versión 2.20.2 puede solucionar este problema. El identificador del parche es 6bec52dca158481258315ba0fc2f11206df7b719. Es aconsejable actualizar el componente afectado. El mantenedor del código fue informado de antemano sobre los problemas. Reaccionó muy rápido y de manera altamente profesional.

12 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 00:16

Updated : 2026-03-12 21:07

NVD link : CVE-2026-3965

Mitre link : CVE-2026-3965

CVE.ORG link : CVE-2026-3965

JSON object : View

Products Affected

No product.

CWE

CWE-693

Protection Mechanism Failure

6.3 /10