CVE-2026-55445 in Qinglonginformation

Résumé

par MITRE • 16/07/2026

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsable

GitHub M

Réserver

16/06/2026

Divulgation

16/07/2026

Modérer

accepté

Entrée

VDB-379432

CPE

prêt

EPSS

0.00000

KEV

non

Activités

très faible

Sources

Interested in the pricing of exploits?

See the underground prices here!