Qinglong active authentication-bypass exploitation wave

Timeline

1. 29.04.2026 23:50 2 articles · 27d ago

   Attackers exploit Qinglong authentication bypass flaws

   Exploitation Observed

   Attackers began exploiting CVE-2026-3965 and CVE-2026-4047 against publicly exposed Qinglong panels, chaining the authentication bypass flaws to reach protected endpoints and deploy cryptominers on developers' servers.

   Show sources

   • Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining — www.bleepingcomputer.com — 29.04.2026 23:50
   • Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining — www.bleepingcomputer.com — 29.04.2026 23:50

   Open in new tab
2. 29.04.2026 23:50 1 articles · 27d ago

   Qinglong maintainers respond with update guidance

   Mitigation Patch Update

   On March 1, Qinglong maintainers acknowledged the vulnerability and urged users to install the latest update after an initial mitigation in pull release #2924 focused on blocking command-injection patterns proved insufficient against the authentication-bypass chain.

   Show sources

   • Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining — www.bleepingcomputer.com — 29.04.2026 23:50

   Open in new tab
3. 29.04.2026 23:50 1 articles · 27d ago

   Snyk discloses Qinglong .fullgc miner abuse and root cause

   Initial Disclosure

   Snyk researchers disclosed that Qinglong users first noticed a rogue hidden process named '.fullgc' consuming 85% to 100% of CPU power, and the same analysis tied the abuse to attackers modifying Qinglong's config.sh, downloading a miner to '/ql/data/db/.fullgc', and running it in the background. The root cause was a mismatch between middleware authorization logic and Express.js routing behavior, and the effective fix came in PR #2941.

   Show sources

   • Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining — www.bleepingcomputer.com — 29.04.2026 23:50

   Open in new tab