Web Application Detections Published in December 2025

In December, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:

Liferay, Atlassian, Kibana, SolarWinds, PHP, Adobe, pgAdmin, JetBrains, GitLab, Nginx, WordPress, vLLM, Fortinet, Drupal, React, Apache, ClipBucket, Jenkins, Infoblox, Ollama, Gogs, FreePBX, 1Panel, XWiki, Cisco, Roundcube, GeoServer, N8n, HexStrike

Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.

The following table lists the QIDs released in December 2025.

QID Title
520083 Liferay Portal Cross-site scripting (XSS) Vulnerability (CVE-2025-62265)
520084 Liferay Portal DNS Rebinding Vulnerability (CVE-2025-62266)
520085 Liferay Portal Password Enumeration Vulnerability (CVE-2025-62257)
520086 Liferay Portal Reflected Cross-site scripting (XSS) Vulnerability (CVE-2025-4576)
520087 Atlassian Jira Data Center and Server Path Traversal Vulnerability (CVE-2025-22167)
520088 Liferay Portal Observable Discrepancy Vulnerability (CVE-2025-43739)
520089 Kibana Unbounded Allocation Vulnerability (CVE-2024-43708)
520090 SolarWinds Serv-U Remote Code Execution (RCE) Vulnerabilities (CVE-2025-40547,CVE-2025-40548)
520091 SolarWinds Serv-U Path Restriction Bypass Vulnerability (CVE-2025-40549)
520092 Kibana Improper Authorization Vulnerability (CVE-2025-68422)
520093 PHP NULL Pointer Dereference Vulnerability (CVE-2025-6491)
520094 PHP HTTP Redirect Location Buffer Truncation Vulnerability (CVE-2025-1861)
520095 PHP Improper Input Validation Vulnerability (CVE-2025-1736)
520096 PHP SQL Injection Vulnerability (CVE-2025-1735)
520097 PHP Server-Side Request Forgery Vulnerability (CVE-2025-1220)
520098 PHP HTTP Redirect Header Confusion Vulnerability (CVE-2025-1219)
520099 PHP Interpretation Conflict Vulnerability (CVE-2025-1217)
530658 Adobe Magento Unrestricted File Upload Vulnerability (CVE-2024-39397)
530668 Adobe Magento Cross-Site Request Forgery Vulnerabilities (CVE-2024-39408,CVE-2024-39409,CVE-2024-39410)
530679 pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2025-12762)
530697 JetBrains YouTrack Junie Token Exposure Vulnerability (CVE-2025-64689)
530698 JetBrains YouTrack VCS URL Validation Vulnerability (CVE-2025-64688)
530699 GitLab CE/EE Improper Access Control Vulnerability (CVE-2025-7736)
530700 GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-12983)
530702 JetBrains YouTrack Missing Authorization Vulnerabilities (CVE-2025-64684,CVE-2025-64687,CVE-2025-64690)
530703 Nginx Server-Status page exposed (stub_status)
530704 WordPress Easy WP SMTP Plugin: Administrator Account Takeover Vulnerability (CVE-2020-35234)
530705 vLLM Remote Code Execution (RCE) Vulnerability (CVE-2025-66448)
530706 WordPress Cost Calculator Builder Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-12529)
530707 Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
530708 Drupal JSON Field: Cross Site Scripting (XSS) Vulnerability (CVE-2025-10926)
530709 Drupal Access code: Access Bypass Vulnerability (CVE-2025-10928)
530711 WordPress ProfileGrid Plugin: PHP Object Injection Vulnerability (CVE-2025-0724)
530712 React Server Components Remote Code Execution (RCE) Vulnerability (CVE-2025-55182) (React2Shell)
530713 Apache Druid Kerberos Authenticaton Unsecure Cryptographic Secret Vulnerability (CVE-2025-59390)
530714 WordPress AI ChatBot Plugin: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-13378)
530717 ClipBucket V5 Authorization Bypass Vulnerability (CVE-2025-65113)
530718 Apache Tomcat ANSI Escape Sequence Injection in Log Messages (CVE-2025-55754)
530719 Jenkins Curseforge Publisher Plugin: API Key Disclosure Vulnerability (CVE-2025-64147)
530720 vLLM Remote Code Execution (RCE) Vulnerabilities (CVE-2025-32444,CVE-2025-47277)
530721 vLLM Denial of Service (DoS) Vulnerability (CVE-2025-30202)
530722 Apache Syncope Default AES Key Utilized For Encryption Vulnerability (CVE-2025-65998)
530723 Infoblox NetMRI Unauthenticated Command Injection Vulnerability (CVE-2025-32813)
530724 vLLM Denial of Service (DoS) Vulnerability (CVE-2025-46560)
530725 WordPress Username Enumeration via Author ID Parameter
530726 Jenkins MCP Server Plugin Missing Authorization Vulnerability (CVE-2025-64132)
530727 Apache OFBiz Template Engine Vulnerability (CVE-2025-26865)
530728 Jenkins SAML Plugin Replay Vulnerability (CVE-2025-64131)
530729 Jenkins Extensible Choice Parameter Plugin CSRF Vulnerability (CVE-2025-64133)
530730 Jenkins JDepend Plugin XXE Vulnerability (CVE-2025-64134)
530731 GitLab CE/EE Race Condition Vulnerability (CVE-2024-9183)
530732 GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-12571)
530733 GitLab CE/EE Authentication Bypass Vulnerability (CVE-2025-12653)
530734 Ollama Cross-Domain Authentication Token Exposure (CVE-2025-51471)
530735 GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-7449)
530736 Adobe ColdFusion Multiple Vulnerabilities (APSB25-105)
530737 Gogs Symlink Bypass Vulnerability (CVE-2025-8110)
530738 GitLab EE Improper Authorization Vulnerability (CVE-2025-6195)
530739 GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-13611)
530740 Apache Struts Showcase App Denial of Service Vulnerability (CVE-2025-64775)
530741 WordPress Hippoo Mobile App for WooCommerce Plugin: Arbitrary File Read Vulnerability (CVE-2025-13339)
530742 React Server Components Denial of Service (DoS) Vulnerability (CVE-2025-55184)
530743 FreePBX Improper Authentication Vulnerability (CVE-2025-66039)
530744 FreePBX SQL Injection Vulnerability (CVE-2025-61675)
530745 FreePBX File Upload Vulnerability (CVE-2025-61678)
530746 1Panel CAPTCHA Verification Bypass Vulnerability (CVE-2025-66507)
530747 pgAdmin Code Injection Vulnerability (CVE-2025-13780)
530748 XWiki Sensitive File Disclosure Vulnerability (CVE-2025-55749)
530749 WordPress LT Unleashed Plugin: Local File Inclusion Vulnerability (CVE-2025-13886)
530750 WordPress Elated Membership Plugin: Authentication Bypass Vulnerability (CVE-2025-13613)
530751 Apache Tika XML External Entity (XXE) Vulnerability (CVE-2025-66516,CVE-2025-54988) (Intrusive Check)
530752 Git Repository Found
530753 WordPress Export WP Pages Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-11693)
530754 WordPress JAY Login and Register Plugin: Authentication Bypass Vulnerability (CVE-2025-14440)
530755 WordPress URL Shortener Plugin: SQL Injection Vulnerability (CVE-2025-10738)
530756 WordPress WPCOM Member Plugin: Authentication Bypass Vulnerability (CVE-2025-14002)
530757 Cisco AsyncOS Secure Email Gateway Remote Command Execution (RCE) Vulnerability (CVE-2025-20393)
530758 WordPress Fox LMS Plugin: Privilege Escalation Vulnerability (CVE-2025-14156)
530760 Roundcube Webmail Information Disclosure Vulnerability (CVE-2025-68460)
530761 Roundcube Webmail Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-68461)
530762 Apache StreamPark Use of Hard-Coded Key Vulnerability (CVE-2025-54947)
530766 JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities
530767 JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-68268)
530768 WordPress Booking Calendar Plugin: Blind SQL Injection Vulnerability (CVE-2025-14383)
530769 WordPress Demo Importer Plus Plugin: Privilege Escalation Vulnerability (CVE-2025-14364)
530770 WordPress NextGEN Gallery Plugin: Local File Inclusion Vulnerability (CVE-2025-13641)
530771 JetBrains TeamCity Excessive Privileges Vulnerability (CVE-2025-68267)
530773 GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-12029)
530774 GeoServer XML External Entity (XXE) Processing Vulnerability (CVE-2025-58360)
530775 Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-59718)
530776 Fortinet FortiWeb Authentication Bypass Vulnerability (CVE-2025-59719)
530777 N8n Remote Code Execution Vulnerability (CVE-2025-68613)
530778 WordPress Contact Form 7 Redirect Plugin: Arbitrary File Upload Vulnerability (CVE-2025-14800)
530780 WordPress Doubly Plugin: PHP Object Injection Vulnerability (CVE-2025-14476)
530784 GitLab CE/EE Improper Encoding Vulnerability (CVE-2025-8405)
530785 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-12562)
530786 WordPress WP User Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-13320)
530787 WordPress Ninja Forms Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-11924)
530788 WordPress Hummingbird Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-14437)
530789 GitLab CE/EE Authentication Bypass Vulnerability (CVE-2025-11984)
530790 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-4097)
580896 Hash Disclosure in Sensitive Fields
580897 HexStrike AI MCP Server Command Injection Vulnerability (CVE-2025-35028)
580898 Mass Assignment: Unauthorized Modification of Sensitive Attributes

Qualys Notification: Web Application Detections Published in December 2025

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026