CVE-2026-3965 (CVSS 8.6, CISA KEV confirmed, priority 0.658) affects the whyour Qinglong scheduled task management platform through version 2.20.1, enabling unauthenticated remote command injection via a protection mechanism failure (CWE-693) in the API’s command argument handling. Active exploitation is confirmed per CISA KEV, overriding the low EPSS score as a prioritization signal. Organizations must upgrade to version 2.20.2 (patch commit 6bec52dca158481258315ba0fc2f11206df7b719) immediately and restrict API port access to trusted internal IP ranges until patching is complete.