Primary

Context

whyour Qinglong Remote Command Execution Vulnerability

Vulnerability

A remote command execution vulnerability exists in whyour Qinglong versions prior to 2.20.1. The issue arises from the API interface in the file back/loaders/express.ts, where user-supplied parameters are not properly validated. This lack of filtering allows attackers to execute arbitrary commands on the server, potentially leading to further intranet attacks. The vulnerability has been publicly disclosed and exploited.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected server.

Reproduction

To reproduce this vulnerability, send a PUT request to the /api/system/command-run endpoint with a JSON payload containing the command to be executed, such as 'whoami'.

Remediation

Upgrade to Qinglong version 2.20.2, which addresses this vulnerability.

Added: Mar 12, 2026, 12:19 AM

Updated: Mar 12, 2026, 12:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

3.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

whyour Qinglong Remote Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating