Application Security Detections Published in January 2026
In January, Qualys Web Application Scanning and API Security released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
React Router, Next.js, Billboard.js, OpenSSL, Drupal, WordPress, Mattermost, Cacti, Digiever, RustFS, Apache Tomcat, Dify, Zimbra, N8n, Langflow, JetBrains, SeaCMS, GitLab, MLflow, Mailpit, Adobe ColdFusion, Fortinet, Cisco, SAP, Oracle, Apache Airflow, BentoML, Apache Solr, vLLM
Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.
The following table lists the QIDs released in January 2026.
| QID | Title |
| 151073 | React Router Arbitrary File Read/Write Vulnerability (CVE-2025-61686) |
| 151074 | React Router Cross Site Scripting (XSS) Vulnerabilities (CVE-2026-21884,CVE-2026-22029) |
| 151075 | React Router Cross Site Scripting (XSS) Vulnerability (CVE-2025-59057) |
| 151076 | Next.js Denial of Service (DoS) Vulnerability (CVE-2025-59471) |
| 151077 | Next.js Denial of Service (DoS) Vulnerability (CVE-2025-59472) |
| 151078 | Billboard.js Cross Site Scripting (XSS) Vulnerability (CVE-2026-1513) |
| 520100 | Open Secure Sockets Layer (OpenSSL) Stack Buffer Overflow Vulnerability (CVE-2025-15467) |
| 520101 | Open Secure Sockets Layer (OpenSSL) Improper Validation Vulnerability (CVE-2025-11187) |
| 530640 | Drupal Simple OAuth (OAuth2) and OpenID Connect: Access Bypass Vulnerability (CVE-2025-12466) |
| 530641 | WordPress Academy LMS Plugin: PHP Object Injection Vulnerability (CVE-2025-12099) |
| 530651 | WordPress Asgaros Forum Plugin: SQL Injection Vulnerability (CVE-2025-11452) |
| 530652 | WordPress Alex Reservations Plugin: Arbitrary File Upload Vulnerability (CVE-2025-12399) |
| 530715 | Drupal CivicTheme: Cross-site Scripting (XSS) Vulnerability (CVE-2025-12083) |
| 530716 | Drupal Currency Module: Cross Site Request Forgery (CSRF) Vulnerability (CVE-2025-10930) |
| 530759 | WordPress Elementor Website Builder Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-11220) |
| 530763 | WordPress Multi Uploader Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-14344) |
| 530764 | WordPress LazyTasks Plugin: Arbitrary Account Takeover Vulnerability (CVE-2025-12963) |
| 530765 | WordPress Newsletter Plugin: SQL Injection Vulnerability (CVE-2025-67999) |
| 530781 | WordPress wpForo Forum Plugin: SQL Injection Vulnerability (CVE-2025-13126) |
| 530782 | WordPress Blaze Demo Importer Plugin: Unauthorized Database Reset Vulnerability (CVE-2025-13334) |
| 530783 | Mattermost Jira Plugin: Authentication Bypass Vulnerability (CVE-2025-14273) |
| 530794 | Cacti Command Injection Vulnerability (CVE-2025-66399) |
| 530795 | WordPress WP Directory Kit Plugin: SQL Injection Vulnerability (CVE-2025-13089) |
| 530796 | WordPress FunnelKit Plugin: SQL Injection Vulnerability (CVE-2025-14169) |
| 530797 | WordPress SureForms Plugin: Cross-Site Scripting Vulnerability (CVE-2025-14855) |
| 530798 | Digiever DS-2105 Pro Command Injection Vulnerability (CVE-2023-52163) |
| 530799 | RustFS gRPC Hardcoded Token Authentication Bypass Vulnerability (CVE-2025-68926) |
| 530800 | Apache Tomcat UTF-8 Decoder Denial of Service (DoS) Vulnerability (CVE-2018-1336) |
| 530801 | Apache Tomcat TLS Security Constraint Bypass Vulnerability (CVE-2018-8034) |
| 530802 | Dify API Key Exposure Vulnerability (CVE-2025-67732) |
| 530803 | Zimbra Local File Inclusion (LFI) Vulnerability (CVE-2025-68645) |
| 530804 | WordPress Advanced Ads Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2025-13592) |
| 530805 | N8n Arbitrary Command Execution Vulnerability (CVE-2025-68668) |
| 530806 | Langflow Missing Authentication Vulnerability (CVE-2026-21445 |
| 530807 | Zimbra Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-66376) |
| 530808 | Zimbra Hardcoded Flickr Credentials Vulnerability (CVE-2025-67809) |
| 530809 | WordPress Fancy Product Designer Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-12570) |
| 530810 | JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-67742) |
| 530811 | WordPress Image Gallery Plugin: Path Traversal Vulnerability (CVE-2025-13891) |
| 530812 | WordPress Blocksy Companion Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-12475) |
| 530813 | SeaCMS SQL Injection Vulnerability (CVE-2025-15002) |
| 530814 | WordPress Frontend Admin Plugin: Multiple Security Vulnerabilities (CVE-2025-14736, CVE-2025-14741) |
| 530815 | WordPress Frontend Admin Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-14937) |
| 530816 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-14157) |
| 530817 | GitLab EE Information Disclosure Vulnerability (CVE-2025-11247) |
| 530818 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-13978) |
| 530819 | GitLab CE/EE HTML Injection Vulnerability (CVE-2025-12734) |
| 530820 | N8n Unauthenticated File Access Vulnerability (CVE-2026-21858) |
| 530821 | WordPress SlimStat Analytics Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-15057) |
| 530822 | WordPress SlimStat Analytics Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-15055) |
| 530823 | WordPress Eventin Plugin: Missing Authorization Vulnerability (CVE-2025-14657) |
| 530824 | MLflow DNS Rebinding Vulnerability (CVE-2025-14279) |
| 530826 | Mailpit Server Side Request Forgery Vulnerability (CVE-2026-21859) |
| 530827 | WordPress Brevo for WooCommerce Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-14436) |
| 530828 | WordPress WooCommerce Square Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-13457) |
| 530829 | WordPress Opvius AI Plugin: Path Traversal Vulnerability (CVE-2025-14301) |
| 530830 | Adobe ColdFusion Arbitrary Code Execution Vulnerability via Apache Tika Dependency (APSB26-12) |
| 530831 | Mailpit Cross-Site WebSocket Hijacking Vulnerability (CVE-2026-22689) |
| 530832 | Fortinet FortiSIEM OS Command Injection Vulnerability (CVE-2025-64155) |
| 530833 | Cisco Identity Services Engine (ISE) XML External Entity Vulnerability (CVE-2026-20029) |
| 530834 | WordPress GeekyBot Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-15266) |
| 530835 | WordPress Name Directory Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-15283) |
| 530836 | WordPress Appointment Booking Calendar Plugin: SQL Injection Vulnerability (CVE-2025-12166) |
| 530837 | WordPress News and Blog Designer Bundle Plugin: Local File Inclusion (LFI) Vulnerability (CVE-2025-14502) |
| 530838 | WordPress Uploadify Plugin: Arbitrary File Upload Vulnerability (CVE-2011-10041) |
| 530840 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-9222) |
| 530841 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-13761) |
| 530842 | SAP S/4HANA SQL Injection Vulnerability (CVE-2026-0501) |
| 530843 | FortiClientEMS SQL Injection Vulnerability (CVE-2025-59922) |
| 530844 | SAP S/4HANA Code Injection Vulnerability (CVE-2026-0498) |
| 530845 | WordPress RegistrationMagic Plugin: Privilege Escalation Vulnerability (CVE-2025-15403) |
| 530846 | WordPress Registration Login with Mobile Phone Number Plugin: Authentication Bypass Vulnerability (CVE-2025-10484) |
| 530847 | WordPress Supreme Modules Lite Plugin: Arbitrary File Upload Vulnerability (CVE-2025-13062) |
| 530848 | WordPress Video Gallery Plugin: Arbitrary File Upload Vulnerability (CVE-2025-12957) |
| 530849 | Apache Airflow Rendered Templates Information Disclosure Vulnerability (CVE-2025-68438) |
| 530850 | Oracle WebLogic Server Multiple Vulnerabilities (CPU-JAN2026) |
| 530851 | WordPress Cinerama Theme: Local File Inclusion Vulnerability (CVE-2025-68987) |
| 530857 | GitLab EE Missing Authorization Vulnerability (CVE-2025-13772) |
| 530858 | GitLab EE Missing Authorization Vulnerability (CVE-2025-13781) |
| 530859 | vLLM Denial of Service (DoS) Vulnerability (CVE-2026-22773) |
| 530860 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-10569) |
| 530861 | GitLab CE/EE Insufficient Access Control Vulnerability (CVE-2025-11246) |
| 530862 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-3950) |
| 530867 | vLLM Remote Code Execution (RCE) Vulnerability (CVE-2026-22807) |
| 530868 | vLLM Denial of Service (DoS) Vulnerability (CVE-2025-62372) |
| 530869 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-13927) |
| 530870 | GitLab CE/EE Incorrect Authorization Vulnerability (CVE-2025-13928) |
| 530871 | BentoML Path Traversal Vulnerability (CVE-2026-24123) |
| 530872 | GitLab CE/EE Unchecked Return Value Vulnerability (CVE-2026-0723) |
| 530873 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-13335) |
| 530877 | Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2026-24858) |
| 530878 | vLLM Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-24779) |
| 530881 | Apache Solr Improper Authorization Vulnerability (CVE-2026-22022) |
| 530882 | Apache Solr Improper Input Validation Vulnerability (CVE-2026-22444) |
| 530883 | N8n Remote Code Execution Vulnerability (CVE-2026-1470) |
| 530884 | N8n Arbitrary Code Execution Vulnerability (CVE-2026-0863) |
| 530888 | N8n Remote Code Execution Vulnerability (CVE-2026-21877) |
| 530889 | GitLab CE/EE Denial of Service Vulnerability (CVE-2026-1102) |
| 580899 | Bypass Product Bundle Creations |
| 580902 | GraphQL CSRF via Manipulated Content-Type Header |
| 580904 | Exploiting Default Values for Loan Calculation |
| 580905 | Authentication Bypass via Malformed Auth Headers |
| 580906 | Improper Amount Transfer Handling |
| 580907 | Business Logic Flaw in Inventory / Stock Management |
Qualys Notification: Application Security Detections Published in January 2026