whyour Qinglong versions 2.20.1 and earlier are affected by CVE-2026-3965 (CVSS 8.6), a protection mechanism bypass in the API Interface that allows unauthenticated remote attackers to execute arbitrary commands via manipulated API arguments; the vulnerability is confirmed in both CISA and VulnCheck KEV catalogs, indicating active exploitation. Upgrade to version 2.20.2 (commit 6bec52dca158481258315ba0fc2f11206df7b719) is required immediately, and any internet-exposed Qinglong instance should be treated as potentially compromised pending investigation. Restrict external network access to the Qinglong panel (default port 5700) at the perimeter as an immediate compensating control.