Description
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Protection Mechanism Failure
Action: Apply Patch
AI Analysis

Impact

Key detail from CVE description: "A security vulnerability has been detected in whyour qinglong up to 2.20.1 ... The manipulation of the argument command leads to protection mechanism failure." The vulnerability is caused by improper handling of the command argument within the API interface (back/loaders/express.ts), which disables the intended protection mechanism. Key detail from CVE description: "The attack may be initiated remotely." The primary impact is the loss of this protection, as identified by CWE‑693 (System Not Adequately Protected).

Affected Systems

Key detail from CVE description: "Systems running whyour qinglong version 2.20.1 or earlier are affected." The patch is available in release 2.20.2, identified by commit 6bec52dca158481258315ba0fc2f11206df7b719, which removes the vulnerability. The affected products are listed under the vendor name "whyour:qinglong".

Risk and Exploitability

Key detail from CVE description: "The CVSS Score: 5.3" and "EPSS Score: < 1%" indicate moderate severity and low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack can be performed remotely by sending crafted requests to the API endpoint, and it has already been publicly disclosed and may be used.

Generated by OpenCVE AI on March 17, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to whyour qinglong 2.20.2 (commit 6bec52dca158481258315ba0fc2f11206df7b719).
  • Restart the qinglong service to ensure the new version is in use.
  • Restrict external access to the API endpoint using network segmentation or firewall rules.

Generated by OpenCVE AI on March 17, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xj37-qjg2-xwv2 @whyour/qinglong: manipulation of the argument command leads to protection mechanism failure
History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Whyour
Whyour qinglong
Vendors & Products Whyour
Whyour qinglong

Thu, 12 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Title whyour qinglong API express.ts protection mechanism
Weaknesses CWE-693
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Whyour Qinglong
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:27:53.420Z

Reserved: 2026-03-11T13:14:22.026Z

Link: CVE-2026-3965

cve-icon Vulnrichment

Updated: 2026-03-12T13:27:49.199Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T00:16:11.963

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-3965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:37Z

Weaknesses