Qinglong API Interface vulnerable to remote command manipulation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.1

Qinglong API Interface vulnerable to remote command manipulation

CVE-2026-3965 GHSA-xj37-qjg2-xwv2

Summary

A recently discovered vulnerability in Qinglong API Interface can allow an attacker to manipulate the system remotely, potentially causing harm. This issue has been publicly disclosed and a fix is available in version 2.20.2. Update to the latest version to protect against potential attacks.

What to do

Update whyour qinglong to version 2.20.2.

Affected software

Vendor	Product	Affected versions	Fix available
whyour	qinglong	<= 2.20.2	2.20.2

Original title

@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure

Original description

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.

nvd CVSS2.0 6.5

nvd CVSS3.1 6.3

nvd CVSS4.0 5.3

Vulnerability type

CWE-693 Protection Mechanism Failure

Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026