Application Security Detections Published in February 2026
In February, Qualys TotalAppSec released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Axios, Fabric.js, OpenSSL, ClipBucket, Atlassian, Jenkins, SolarWinds, Laravel, WordPress, Apache, Ivanti, Moodle, MLflow, vLLM, Grafana, N8n, Fortinet, React Native Community, pgAdmin, GitLab, Apache Airflow, Apache Hadoop, Apache Druid, Apache HertzBeat, Zohocorp, Dify, Roundcube, SAP, Oracle, BentoML, Cisco, BeyondTrust, Zimbra, MCPJam, Splunk, Alfresco, EasyCVR, Apigee, Axway, Ambassador, Couchbase, FreshRSS, Jeecg Boot, Seafile, Strapi, Tolgee, and Langflow
Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.
The following table lists the QIDs released in February 2026.
| QID | Title |
| 151079 | Axios Denial of Service (DoS) Vulnerability (CVE-2026-25639) |
| 151080 | Fabric.js Cross Site Scripting (XSS) Vulnerability (CVE-2026-27013) |
| 520102 | Open Secure Sockets Layer (OpenSSL) Denial of Service (DoS) Vulnerabilities (CVE-2025-15468, CVE-2025-66199) |
| 520103 | Open Secure Sockets Layer (OpenSSL) dgst Input Truncation Vulnerability (CVE-2025-15469) |
| 520104 | Open Secure Sockets Layer (OpenSSL) Denial of Service (DoS) Vulnerabilities (CVE-2025-68160, CVE-2025-69421, CVE-2026-22796) |
| 520105 | ClipBucket V5 Blind SQL Injection Vulnerability (CVE-2026-21875) |
| 520106 | Open Secure Sockets Layer (OpenSSL) Denial of Service (DoS) Vulnerabilities (CVE-2025-69419, CVE-2025-69420, CVE-2026-22795) |
| 520107 | Open Secure Sockets Layer (OpenSSL) OCB Partial Block Encryption Vulnerability (CVE-2025-69418) |
| 520108 | Atlassian Crowd Data Center and Server XML External Entity Injection (XXE) Vulnerability (CVE-2026-21569) |
| 520109 | ClipBucket V5 Remote Code Execution Vulnerability (CVE-2026-25728) |
| 520110 | ClipBucket V5 Server-Side Request Forgery Vulnerability (CVE-2026-26005) |
| 520111 | Jenkins Core Stored Cross-site Scripting (XSS) Vulnerability (CVE-2026-27099) |
| 520112 | Jenkins Core Build Information Disclosure Vulnerability (CVE-2026-27100) |
| 520113 | SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability (CVE-2025-40538) |
| 520114 | SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerabilities (CVE-2025-40539, CVE-2025-40540) |
| 520115 | SolarWinds Serv-U IDOR Remote Code Execution Vulnerability (CVE-2025-40541) |
| 530825 | Laravel Bagisto Missing Authentication Vulnerability (CVE-2026-21446) |
| 530852 | WordPress Aora Theme: Local File Inclusion Vulnerability (CVE-2025-68985) |
| 530853 | WordPress Academy LMS Plugin: Account Takeover Vulnerability (CVE-2025-15521) |
| 530854 | WordPress Membership Plugin: Missing Authentication Vulnerability (CVE-2025-14844) |
| 530855 | WordPress ACF Extended Plugin: Privilege Escalation Vulnerability (CVE-2025-14533) |
| 530856 | WordPress Dokan Lite Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-14977) |
| 530863 | Apache bRPC Command Injection Vulnerability (CVE-2025-60021) |
| 530864 | WordPress Creator LMS Plugin: Missing Authorization Vulnerability (CVE-2025-15347) |
| 530865 | WordPress NotificationX Plugin: Cross-Site Scripting Vulnerability (CVE-2025-15380) |
| 530866 | WordPress Nexter Extension Plugin: PHP Object Injection Vulnerability (CVE-2026-0726) |
| 530874 | WordPress LA-Studio Element Kit Plugin: Privilege Escalation Vulnerability (CVE-2026-0920) |
| 530875 | WordPress Demo Importer Plus Plugin: XML External Entity Injection (XXE) Vulnerability (CVE-2025-14478) |
| 530876 | WordPress Hustle Plugin: Arbitrary File Upload Vulnerability (CVE-2026-0911) |
| 530879 | WordPress Frontis Blocks Plugin: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-0807) |
| 530880 | WordPress User Submitted Posts Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-0800) |
| 530885 | WordPress Melapress Role Editor Plugin: Privilege Escalation Vulnerability (CVE-2025-14866) |
| 530886 | WordPress Kalrav AI Agent Plugin: Arbitrary File Upload Vulnerability (CVE-2025-13374) |
| 530887 | WordPress LazyTasks Plugin: Privilege Escalation Vulnerability (CVE-2025-68869) |
| 530890 | Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution (RCE) Vulnerabilities (CVE-2026-1281, CVE-2026-1340) |
| 530891 | WordPress Snow Monkey Forms Plugin: Arbitrary File Deletion Vulnerability (CVE-2026-1056) |
| 530892 | WordPress Prowess Theme: Local File Inclusion Vulnerability (CVE-2026-24531) |
| 530893 | Moodle Remote Code Execution (RCE) Vulnerability (CVE-2025-67847) |
| 530894 | WordPress Simple User Registration Plugin: Privilege Escalation Vulnerability (CVE-2026-0844) |
| 530895 | WordPress Search Atlas SEO Plugin: Authentication Bypass Vulnerability (CVE-2025-14386) |
| 530896 | MLflow Remote Code Execution (RCE) Vulnerability (CVE-2025-10279) |
| 530897 | WordPress BuddyPress Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-11976) |
| 530898 | WordPress Omnipress Plugin: Local File Inclusion Vulnerability (CVE-2026-24538) |
| 530899 | vLLM Remote Code Execution (RCE) Vulnerability (CVE-2026-22778) |
| 530900 | ClipBucket V5 Default Credentials |
| 530901 | Apache Syncope Reflected Cross-Site Scripting Vulnerability (CVE-2026-23794) |
| 530902 | WordPress WP FOFT Loader Plugin: Arbitrary File Upload Vulnerability (CVE-2026-1756) |
| 530903 | Grafana Privilege Escalation Vulnerability (CVE-2026-21721) |
| 530904 | Apache Syncope XML External Entity Vulnerability (CVE-2026-23795) |
| 530905 | SolarWinds Web Help Desk Remote Code Execution (RCE) Vulnerability (CVE-2025-40551) |
| 530906 | WordPress Gyan Elements Plugin: Local File Inclusion Vulnerability (CVE-2026-23978) |
| 530907 | Grafana Denial of Service (DoS) Vulnerability (CVE-2026-21720) |
| 530908 | SolarWinds Web Help Desk Hardcoded Credentials Vulnerability (CVE-2025-40537) |
| 530909 | N8n Python Sandbox Escape Vulnerability (CVE-2026-25115) |
| 530910 | Apache StreamPark Weak Encryption Algorithm Vulnerability (CVE-2025-54981) |
| 530911 | WordPress Tutor LMS Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2026-1375) |
| 530912 | WordPress OS DataHub Maps Plugin: Arbitrary File Upload Vulnerability (CVE-2026-1730) |
| 530913 | N8n Command Execution Vulnerability (CVE-2026-25049) |
| 530914 | WordPress WP Duplicate Plugin: Missing Authorization Vulnerability (CVE-2026-1499) |
| 530915 | WordPress JAY Login and Register Plugin: Privilege Escalation Vulnerabilities (CVE-2025-15100, CVE-2025-15027) |
| 530916 | FortiClientEMS SQL Injection Vulnerability (CVE-2026-21643) |
| 530917 | WordPress Popup Builder Block Plugin: SQL Injection Vulnerability (CVE-2025-13192) |
| 530918 | SolarWinds Web Help Desk Authentication Bypass Vulnerabilities (CVE-2025-40552, CVE-2025-40554) |
| 530919 | SolarWinds Web Help Desk Deserialization Remote Code Execution Vulnerability (CVE-2025-40553) |
| 530920 | WordPress SportsPress Plugin: Local File Inclusion Vulnerability (CVE-2025-15368) |
| 530921 | React Native Community CLI OS Command Injection Vulnerability (CVE-2025-11953) |
| 530922 | Fortinet FortiOS LDAP Authentication Bypass Vulnerability (CVE-2026-22153) |
| 530923 | pgAdmin Secret Key Disclosure Vulnerability (CVE-2026-1707) |
| 530924 | WordPress Golo Theme: Local File Inclusion Vulnerability (CVE-2026-23975) |
| 530925 | WordPress WPvivid Backup Restore Plugin: Arbitrary File Upload Vulnerability (CVE-2026-1357) |
| 530926 | GitLab CE/EE Incomplete Validation Vulnerability (CVE-2025-7659) |
| 530927 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-8099) |
| 530928 | Apache Airflow DAG Import Error Information Disclosure Vulnerability (CVE-2026-24098) |
| 530929 | Apache Airflow Task Log Authorization Bypass Vulnerability (CVE-2026-22922) |
| 530930 | WordPress Ninja Forms Plugin: Information Disclosure Vulnerability (CVE-2026-2268) |
| 530931 | Apache Hadoop Out-of-bounds Write Vulnerability (CVE-2025-27821) |
| 530932 | Apache Druid Authentication Bypass Vulnerability (CVE-2026-23906) |
| 530933 | Apache HertzBeat XPath Injection Vulnerability (CVE-2026-24343) |
| 530934 | GitLab CE/EE Denial of Service Vulnerability (CVE-2026-0958) |
| 530935 | Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2026-1602) |
| 530936 | Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability (CVE-2026-1603) |
| 530937 | WordPress WC Frontend Manager Plugin: Missing Authorization Vulnerability (CVE-2026-0845) |
| 530938 | WordPress Name Directory Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-1866) |
| 530939 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-14560) |
| 530940 | GitLab CE/EE HTML Injection Vulnerability (CVE-2026-0595) |
| 530941 | Zohocorp ManageEngine ADSelfService Plus Account Takeover Vulnerability (CVE-2025-1723) |
| 530942 | Dify Cross-Site Scripting (XSS) Vulnerability (CVE-2026-26023) |
| 530943 | Roundcube Webmail Improper Remote Image Blocking Vulnerability (CVE-2026-25916) |
| 530944 | Roundcube Webmail CSS Injection Vulnerability (CVE-2026-26079) |
| 530945 | WordPress AdForest Theme: Authentication Bypass Vulnerability (CVE-2026-1729) |
| 530946 | GitLab CE/EE Denial of Service Vulnerability (CVE-2026-1458) |
| 530947 | GitLab CE/EE Denial of Service Vulnerability (CVE-2026-1456) |
| 530948 | WordPress CleanTalk Spam Protect Plugin: Authorization Bypass Vulnerability (CVE-2026-1490) |
| 530949 | GitLab EE Denial of Service Vulnerability (CVE-2026-1387) |
| 530950 | GitLab EE Server-Side Request Forgery Vulnerability (CVE-2025-12575) |
| 530951 | WordPress MIDI-Synth Plugin: Arbitrary File Upload Vulnerability (CVE-2026-1306) |
| 530952 | WordPress WowRevenue Plugin: Missing Authorization Vulnerability (CVE-2026-2001) |
| 530953 | GitLab CE/EE Improper Validation Vulnerability (CVE-2026-1094) |
| 530954 | GitLab CE/EE Server-Side Request Forgery Vulnerability (CVE-2025-12073) |
| 530955 | GitLab EE Authorization Bypass Vulnerability (CVE-2026-1080) |
| 530956 | WordPress WpForo Forum Plugin: PHP Object Injection Vulnerability (CVE-2026-0910) |
| 530957 | WordPress Lazy Blocks Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2026-1560) |
| 530958 | BeyondTrust Privileged Remote Access (PRA) Remote Code Execution (RCE) Vulnerability (CVE-2026-1731) |
| 530959 | Zimbra Server-Side Request Forgery (SSRF) Vulnerability (CVE-2020-7796) |
| 530960 | WordPress Videospire Core Theme: Privilege Escalation Vulnerability (CVE-2025-15096) |
| 530961 | WordPress FastDup Plugin: Missing Authorization Vulnerability (CVE-2026-1104) |
| 530962 | WordPress Ecwid Shopping Cart Plugin: Privilege Escalation Vulnerability (CVE-2026-1750) |
| 530963 | MCPJam Inspector Remote Code Execution Vulnerability (CVE-2026-23744) |
| 530964 | Apache Tomcat HTTP/0.9 Security Constraint Bypass Vulnerability (CVE-2026-24733) |
| 530965 | Apache Tomcat OCSP Validation Bypass Vulnerability (CVE-2026-24734) |
| 530966 | Apache Tomcat Client Certificate Bypass Vulnerability (CVE-2025-66614) |
| 530967 | WordPress Lucky Wheel Giveaway Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2025-14541) |
| 530968 | WordPress Starfish Reviews Plugin: Missing Authorization Vulnerability (CVE-2025-15157) |
| 530969 | Zohocorp ManageEngine ADSelfService Plus SQL Injection Vulnerability (CVE-2026-1367) |
| 530970 | Splunk Enterprise/Cloud Platform Path Traversal Vulnerability (CVE-2026-20137) |
| 530971 | Splunk Enterprise/Cloud Platform Denial of Service Vulnerability (CVE-2026-20139) |
| 530972 | WordPress YayMail Plugin: Missing Authorization Vulnerability (CVE-2026-1937) |
| 530973 | WordPress Lizza LMS Pro Plugin: Privilege Escalation Vulnerability (CVE-2025-13563) |
| 530974 | WordPress ElementsKit Lite Plugin: Missing Authentication Vulnerability (CVE-2026-23693) |
| 530975 | WordPress Slider Future Plugin: Arbitrary File Upload Vulnerability (CVE-2026-1405) |
| 530976 | Splunk Enterprise Sensitive Information Disclosure Vulnerability (CVE-2026-20138) |
| 530977 | Splunk Enterprise Improper Access Control Vulnerability (CVE-2026-20141) |
| 530978 | Splunk Enterprise/Cloud Platform Sensitive Information Disclosure Vulnerability (CVE-2026-20144) |
| 580908 | Business Logic Flaw in Subscription Duration Validation |
| 580909 | Privilege Escalation Through Access Tier Manipulation |
| 580910 | Referral Program Abuse via Referral Code Reuse |
| 580911 | Alfresco CMS Detection |
| 580912 | EasyCVR Information Disclosure Vulnerability (CVE-2025-1595) |
| 580913 | Apigee Login Panel Detected |
| 580914 | Axway API Manager Panel Detected |
| 580915 | BeyondTrust Privileged Access Management Detected |
| 580916 | Ambassador API Gateway Diagnostics Exposure |
| 580917 | SOAP-based ASP.NET Web Services Collection Detected |
| 580918 | AsyncAPI Spec Inventory Detected |
| 580919 | Couchbase Buckets Unauthenticated REST API Detected |
| 580920 | FreshRSS Google Reader API Exposure |
| 580921 | FreshRSS Fever API Exposure |
| 580922 | Jeecg Boot Swagger Bootstrap UI Detected |
| 580923 | Redfish API Detected |
| 580924 | Seafile API Detected |
| 580925 | Strapi API Detected |
| 580926 | Tolgee API Detected |
| 580927 | Langflow AI CORS Misconfiguration Vulnerability (CVE-2025-34291) |
Qualys Notification: Application Security Detections Published in February 2026