Qinglong, a self-hosted scheduled task automation platform, carries CVE-2026-3965 (CVSS 8.6, CWE-693 protection mechanism failure, CISA KEV and VulnCheck KEV confirmed, unauthenticated remote command execution via the API interface). A vendor patch is available in version 2.20.2 (commit 6bec52dca158481258315ba0fc2f11206df7b719). Organizations should upgrade immediately, restrict API access to trusted IPs, and audit all scheduled task definitions for unauthorized injected commands from any exploitation window.