Web Application Detections Published in August 2025
In August, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
OAuth2-Proxy, Squid, WordPress, Hashicorp, SolarWinds, JetBrains, 1Panel, Microsoft, Mattermost, SimpleHelp, SuiteCRM, Apache, CrushFTP, Adobe, Ivanti, NVIDIA, Sitecore, Jenkins, GitLab, Cisco and JWT.
The following table lists the web application detections released in August 2025.
| QID | Title |
|---|---|
| 520072 | OAuth2-Proxy Authentication Bypass Vulnerability (CVE-2025-54576) |
| 520073 | Squid Buffer Overflow Vulnerability (CVE-2025-54574) |
| 530327 | WordPress Madara Core Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7712) |
| 530354 | Hashicorp Vault Code Execution Vulnerability (CVE-2025-6000) |
| 530355 | SolarWinds Web Help Desk XML External Entity Injection (XXE) Vulnerability (CVE-2025-26400) |
| 530356 | JetBrains YouTrack Improper iframe Configuration Vulnerability (CVE-2025-54527) |
| 530357 | WordPress Hydra Booking Plugin: Privilege Escalation Vulnerability (CVE-2025-7689) |
| 530358 | WordPress AI Engine Plugin: Arbitrary File Upload Vulnerability (CVE-2025-7847) |
| 530360 | 1Panel Remote Code Execution Vulnerability (CVE-2025-54424) |
| 530361 | Hashicorp Vault Improper Certificate Validation Vulnerability (CVE-2025-6037) |
| 530362 | Hashicorp Vault Improper Privilege Management (CVE-2025-5999) |
| 530363 | Hashicorp Vault TOTP Secrets Engine Code Reuse (CVE-2025-6014) |
| 530364 | WordPress WP Import Export Lite Plugin: Arbitrary File Upload Vulnerability (CVE-2025-5061) |
| 530365 | WordPress WP Import Export Lite Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6207) |
| 530366 | Microsoft FrontPage Extensions Configuration Information Disclosure |
| 530367 | Microsoft FrontPage Extensions service.cnf File Disclosure |
| 530368 | Mattermost Authorization Bypass Vulnerability (CVE-2025-6226) |
| 530369 | WordPress Service Finder Bookings Plugin: Privilege Escalation Vulnerability (CVE-2025-5947) |
| 530370 | WordPress Service Finder SMS System Plugin: Privilege Escalation Vulnerability (CVE-2025-5954) |
| 530371 | WordPress CleverReach-WP Plugin: SQL Injection Vulnerability (CVE-2025-7036) |
| 530372 | SimpleHelp Untrusted Control Sphere Vulnerability (CVE-2025-36727) |
| 530373 | SimpleHelp Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-36728) |
| 530374 | WordPress Request a Quote Form Plugin: Remote Code Execution Vulnerability (CVE-2025-8420) |
| 530375 | SuiteCRM PHP Object Injection Vulnerability (CVE-2025-54785) |
| 530376 | SuiteCRM InboundEmail SQL Injection Vulnerability (CVE-2025-54788) |
| 530377 | Apache Seata Insecure Deserialization Vulnerability (CVE-2025-53606) |
| 530378 | CrushFTP Authentication Bypass Vulnerability (CVE-2025-54309) |
| 530379 | Apache Jackrabbit XML External Entity (XXE) Injection Vulnerability (CVE-2025-53689) |
| 530380 | Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability (CVE-2025-24854) |
| 530381 | Microsoft SharePoint Server Remote Code Execution Vulnerabilities (CVE-2025-49703, CVE-2025-49704) |
| 530382 | Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49701) |
| 530383 | Microsoft SharePoint Server Spoofing Vulnerability (CVE-2025-49706) |
| 530385 | Adobe Magento CMS Detected |
| 530386 | Adobe Magento Improper Access Control Vulnerability (CVE-2025-43586) |
| 530387 | Ivanti Avalanche SQL Injection Vulnerability (CVE-2025-8296) |
| 530388 | Ivanti Avalanche Remote Code Execution (RCE) Vulnerability (CVE-2025-8297) |
| 530389 | Ivanti Connect Secure (ICS) Denial of Service (DoS) Vulnerabilities (CVE-2025-5456, CVE-2025-5462) |
| 530390 | Adobe Magento Improper Authorization Vulnerability (CVE-2025-43585) |
| 530391 | Adobe Magento Cross-Site Scripting Vulnerability (CVE-2025-47110) |
| 530392 | Adobe Magento Improper Access Control Vulnerability (CVE-2025-27206) |
| 530393 | Adobe Experience Manager Forms Code Execution Vulnerability (CVE-2025-54253) |
| 530394 | Adobe Experience Manager Forms XML External Entity (XXE) Vulnerability (CVE-2025-54254) |
| 530395 | Adobe Magento Incorrect Authorization Vulnerability (CVE-2025-49550) |
| 530396 | Adobe Magento Incorrect Authorization Vulnerability (CVE-2025-49549) |
| 530397 | WordPress Contact Form Entries Plugin: PHP Object Injection Vulnerability (CVE-2025-7384) |
| 530398 | WordPress B Blocks Plugin: Privilege Escalation Vulnerability (CVE-2025-8059) |
| 530400 | WordPress B Slider Plugin: Arbitrary Plugin Installation Vulnerability (CVE-2025-8418) |
| 530401 | NVIDIA Triton Inference Server Remote Code Execution (RCE) Vulnerabilities |
| 530402 | WordPress StoryChief Plugin: Arbitrary File Upload Vulnerability (CVE-2025-7441) |
| 530403 | Apache Tomcat HTTP/2 Denial of Service (DoS) Vulnerability (CVE-2025-48989) |
| 530404 | Sitecore Experience Platform (XP) Authentication Bypass Vulnerability (CVE-2025-34509) |
| 530405 | Sitecore Experience Platform (XP) File Disclosure Vulnerability (CVE-2024-46938) |
| 530406 | Sitecore Experience Platform (XP) Insecure Deserialization Vulnerability (CVE-2019-9874) |
| 530407 | Sitecore Experience Platform (XP) Insecure Deserialization Vulnerability (CVE-2019-9875) |
| 530408 | NVIDIA Triton Inference Server Information Disclosure Vulnerabilities (CVE-2025-23320, CVE-2025-23333, CVE-2025-23334) |
| 530409 | NVIDIA Triton Inference Server Denial of Service (DoS) Vulnerability (CVE-2025-23321) |
| 530410 | NVIDIA Triton Inference Server Denial of Service (DoS) Vulnerabilities (CVE-2025-23322, CVE-2025-23331) |
| 530411 | Apache Zeppelin Cross-Site Scripting (XSS) Vulnerability (CVE-2024-41177) |
| 530412 | Jenkins Credentials Binding Plugin Credentials Disclosure Vulnerability (CVE-2025-53650) |
| 530413 | NVIDIA Triton Inference Server Denial of Service (DoS) Vulnerabilities |
| 530414 | GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-7739) |
| 530415 | GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-6186) |
| 530416 | Jenkins HTML Publisher Plugin Information Disclosure Vulnerability (CVE-2025-53651) |
| 530417 | Jenkins Git Parameter Plugin Code Injection Vulnerability (CVE-2025-53652) |
| 530418 | WordPress Cloudflare Image Resizing Plugin: Remote Code Execution Vulnerability (CVE-2025-8723) |
| 530419 | WordPress E-cab Taxi Booking Manager Plugin: Privilege Escalation Vulnerability (CVE-2025-8898) |
| 530420 | Jenkins Aqua Security Scanner Plugin Unencrypted Token Storage Vulnerability (CVE-2025-53653) |
| 530421 | Jenkins Applitools Eyes Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-53658) |
| 530422 | WordPress WP Webhooks Plugin: Arbitrary File Copy Vulnerability (CVE-2025-8895) |
| 530425 | Cisco Identity Services Engine Remote Code Execution Vulnerabilities (CVE-2025-20281) |
| 530426 | Jenkins Testsigma Test Plan Run Plugin API Key Exposure Vulnerability (CVE-2025-53661) |
| 530427 | Adobe Magento Remote Code Execution Vulnerability (CVE-2019-8144) |
| 530430 | Jenkins Warrior Framework Plugin Unencrypted Password Storage Vulnerability (CVE-2025-53675) |
| 530431 | Jenkins Kryptowire Plugin Unencrypted API Key Storage Vulnerability (CVE-2025-53672) |
| 530432 | Jenkins IBM Cloud DevOps Plugin Unencrypted Token Storage Vulnerability (CVE-2025-53663) |
| 580802 | Endpoint Accessible Without Authentication |
| 580803 | JWT none algorithm supported |
| 580804 | Use of Outdated or Unsupported API Version |
| 580805 | Sensitive Data Exposure through debug endpoint |
| 580806 | Unauthorized Creation of Privileged Account |
| 580808 | CRLF Injection |
| 580809 | Authentication Bypass via Empty Password |
| 580810 | Authentication Bypass using SQL Injection |
| 580812 | IP Address Injection via HTTP Headers |
| 580813 | DELETE Method Detected |
| 580814 | JSON Web Token Error Stack Trace Exposure |
| 580815 | Missing CSRF Token Validation |
| 580816 | Improper CSRF Token Validation |