CVE-2026-3965
Received Received - Intake
Command Injection in Qinglong API Interface Allows Remote Exploit

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3965
EUVD
EUVD-2026-11489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
whyour qinglong to 2.20.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-3965 is a remote command execution vulnerability in the whyour qinglong software up to version 2.20.1. It affects the API interface, specifically in the file back/loaders/express.ts. The vulnerability arises because the system fails to properly filter and validate user-supplied parameters, particularly the "command" argument, allowing attackers to inject and execute arbitrary shell commands remotely.'}, {'type': 'paragraph', 'content': 'The root cause is improper input validation and flawed API authentication logic, including a bypass of JWT verification via capitalized API endpoints. This allows unauthorized access to sensitive API routes such as /command-run, where user commands are executed without sanitization.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit demonstrates sending a specially crafted PUT request to a capitalized API endpoint to execute commands like "whoami" on the server, confirming the vulnerability.'}, {'type': 'paragraph', 'content': 'The vulnerability is publicly disclosed, has an easy exploitability rating, and can be fixed by upgrading to version 2.20.2, which includes a patch addressing the issue.'}] [2, 3, 5]


How can this vulnerability impact me? :

This vulnerability allows remote attackers to execute arbitrary shell commands on the affected qinglong server, potentially gaining server-level permissions.

Exploitation can lead to unauthorized access, data compromise, and further attacks within the internal network, impacting the confidentiality, integrity, and availability of the system.

Because the attack can be launched remotely without local access, it poses a significant risk to systems running vulnerable versions.

Additionally, the vulnerability enables attackers to bypass authentication mechanisms, potentially resetting credentials and taking control of the system.

Mitigation requires upgrading to version 2.20.2, which patches the vulnerability and prevents unauthorized command execution and authentication bypass.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the API interface's `/command-run` endpoint with crafted requests that bypass the input validation and authentication mechanisms."}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a PUT request to the endpoint `/apI/system/command-run` (note the capitalized "I" in "apI" which bypasses the regex filter) with a JSON payload containing a command such as "whoami". If the command executes successfully on the server, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X PUT http://<target-host>:<port>/apI/system/command-run -H "Content-Type: application/json" -d \'{"command":"whoami"}\''}, {'type': 'paragraph', 'content': 'If the response returns the output of the command (e.g., the username running the service), it indicates the vulnerability is present.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation step is to upgrade the affected qinglong software to version 2.20.2, which contains the patch that fixes this vulnerability.

The patch addresses the improper input validation and authentication bypass issues in the API interface, preventing unauthorized command execution.

Until the upgrade can be applied, it is advisable to restrict access to the vulnerable API endpoints, especially `/command-run`, by implementing network-level controls such as firewall rules or API gateway filtering to block unauthorized or suspicious requests.

Additionally, monitor logs for unusual API requests, especially those targeting `/command-run` with suspicious payloads.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart