CVE-2026-3965 in whyour Qinglong is a CISA KEV-confirmed remote command injection vulnerability (CVSS 8.6) affecting the API Interface component in versions through 2.20.1, allowing unauthenticated attackers to bypass protection mechanisms and execute arbitrary OS commands. Despite a low EPSS score, CISA KEV status confirms active exploitation is already underway, overriding the probabilistic signal. Immediate actions: upgrade to version 2.20.2 (commit 6bec52dca158481258315ba0fc2f11206df7b719), restrict API access to trusted IPs until patched, and audit Qinglong-scheduled tasks for unauthorized entries.