Web Application Detections Published in July 2025
In July, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Next.js, Apache, Mattermost, Adobe Magento, MLflow, SugarCRM, Fortinet, WordPress, MCP, WingFTP, Gogs, Moodle, Ivanti, Adobe ColdFusion, LiteLLM, Zimbra, Oracle WebLogic Server, JetBrains YouTrack, LaRecipe, Grafana, GitLab, Microsoft SharePoint Server, Dify, XWiki, Drupal, JetBrains TeamCity, PaperCut, NetAlertX.
| QID | Title |
|---|---|
| 151065 | Next.js Denial of Service (DoS) Vulnerability (CVE-2025-49826) |
| 151066 | Next.js Cache Poisoning Vulnerability (CVE-2025-49005) |
| 520062 | Apache APISIX OpenID Connect Plugin Authentication Bypass Vulnerability (CVE-2025-46647) |
| 520063 | Apache HTTP Server HTTP/2 Denial-of-Service Vulnerability (CVE-2025-53020) |
| 520064 | Apache HTTP Server mod_ssl TLS Upgrade HTTP Desynchronization Vulnerability (CVE-2025-49812) |
| 520065 | Apache HTTP Server Denial-of-Service Vulnerability (CVE-2025-49630) |
| 520066 | Apache HTTP Server Improper Access Control Vulnerability (CVE-2025-23048) |
| 520067 | Apache HTTP Server Log Injection Vulnerability (CVE-2024-47252) |
| 520068 | Apache HTTP Server Server-Side Request Forgery (SSRF) Vulnerabilities (CVE-2024-43394, CVE-2024-43204) |
| 520069 | Apache HTTP Server HTTP Response Splitting Vulnerability (CVE-2024-42516) |
| 530213 | Mattermost Guest User Playbook Run Exposure Vulnerability (CVE-2025-3228) |
| 530224 | Adobe Magento Improper Authorization Vulnerability (CVE-2024-34104) |
| 530230 | Adobe Magento Improper Access Control Vulnerability (CVE-2024-34107) |
| 530231 | Adobe Magento Multiple Improper Input Validation Vulnerabilities (CVE-2024-34108, CVE-2024-34109) |
| 530232 | Adobe Magento Unrestricted File Upload Vulnerability (CVE-2024-34110) |
| 530234 | MLflow Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-52967) |
| 530235 | SugarCRM PHP Object Injection Vulnerability (CVE-2025-25034) |
| 530236 | Fortinet FortiOS Hard-Coded Credentials Vulnerability (CVE-2019-6693) |
| 530237 | WordPress Simple User Registration Plugin: Privilege Escalation Vulnerability (CVE-2025-4334) |
| 530238 | MCP Inspector Remote Code Execution (RCE) Vulnerability (CVE-2025-49596) |
| 530239 | WingFTP Remote Code Execution Vulnerability (CVE-2025-47812) |
| 530240 | WordPress Owl Carousel Responsive Plugin: SQL Injection Vulnerability (CVE-2025-5590) |
| 530241 | WordPress PT Project Notebooks Plugin: Privilege Escalation Vulnerability (CVE-2025-5304) |
| 530242 | WordPress Simple Payment Plugin: Authentication Bypass Vulnerability (CVE-2025-6688) |
| 530243 | Gogs Remote Code Execution (RCE) Vulnerability (CVE-2024-56731) |
| 530244 | Moodle Jmol Plugin Path Traversal Vulnerability (CVE-2025-34031) |
| 530245 | Moodle Jmol Plugin Cross-Site Scripting (XSS) Vulnerability (CVE-2025-34032) |
| 530246 | Gogs Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-47943) |
| 530247 | WordPress WP Human Resource Management Plugin: Privilege Escalation Vulnerability (CVE-2025-5953) |
| 530248 | Mattermost Incorrect Authorization Vulnerability (CVE-2025-46702) |
| 530249 | Mattermost Incorrect Authorization Vulnerability (CVE-2025-47871) |
| 530250 | Adobe Magento Incorrect Authorization Vulnerability (CVE-2024-34106) |
| 530251 | Apache Airflow Providers Snowflake Special Element Injection Vulnerability (CVE-2025-50213) |
| 530252 | Nimesa Backup and Recovery OS Command Injection Vulnerability (CVE-2025-48501) |
| 530253 | Nimesa Backup and Recovery Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-53473) |
| 530254 | Apache Seata Insecure Deserialization Vulnerability (CVE-2025-32897) |
| 530255 | WordPress AI Engine Plugin: Open Redirect Vulnerability (CVE-2025-6238) |
| 530256 | WordPress Booking X Plugin: Missing Authorization Vulnerability (CVE-2025-6814) |
| 530257 | WordPress GoZen Forms Plugin: SQL Injection Vulnerability (CVE-2025-6783) |
| 530259 | Ivanti Endpoint Manager (EPM) Improper Encryption Vulnerabilities (CVE-2025-6995, CVE-2025-6996) |
| 530260 | Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2025-7037) |
| 530261 | Ivanti Connect Secure (ICS) Improper Access Control Vulnerability (CVE-2025-5450) |
| 530262 | Ivanti Connect Secure (ICS) Insertion of Sensitive Information into Log File Vulnerabilities (CVE-2025-5463, CVE-2025-5464) |
| 530263 | Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-5451) |
| 530264 | Ivanti Connect Secure (ICS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-0292) |
| 530265 | Ivanti Connect Secure (ICS) CLRF Injection Vulnerability (CVE-2025-0293) |
| 530266 | Adobe ColdFusion XML External Entity (XXE) Vulnerabilities (CVE-2025-49535, CVE-2025-49539, CVE-2025-49544) |
| 530267 | Adobe ColdFusion Hard-coded Credentials Vulnerability (CVE-2025-49551) |
| 530268 | Adobe ColdFusion Incorrect Authorization Vulnerability (CVE-2025-49536) |
| 530269 | WordPress Profitori Plugin: Privilege Escalation Vulnerability (CVE-2025-4631) |
| 530270 | LiteLLM SQL Injection Vulnerability (CVE-2025-45809) |
| 530271 | WordPress Smash Balloon Social Photo Feed Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-4583) |
| 530272 | Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-49518) |
| 530273 | Moodle Insufficient Authorization Vulnerability (CVE-2025-49517) |
| 530274 | Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-49516) |
| 530275 | Zimbra Denial of Service (DoS) Vulnerability (CVE-2025-53645) |
| 530276 | Adobe ColdFusion OS Command and XML Injection Vulnerabilities (CVE-2025-49537, CVE-2025-49538) |
| 530277 | Adobe ColdFusion Cross-Site Scripting (XSS) Vulnerabilities (APSB25-69) |
| 530278 | WordPress WPBookit Plugin: Arbitrary File Upload Vulnerabilities (CVE-2025-6057, CVE-2025-6058) |
| 530279 | Adobe ColdFusion Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-49545) |
| 530280 | Adobe ColdFusion Denial of Service (DoS)Vulnerability (CVE-2025-49546) |
| 530281 | WordPress Friends Plugin: PHP Object Injection Vulnerability (CVE-2025-7504) |
| 530282 | Moodle Insufficient Authorization Vulnerability (CVE-2025-49515) |
| 530283 | Moodle Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-49514) |
| 530284 | WordPress SureForms Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-6691) |
| 530285 | Apache Tomcat Denial of Service (DoS) Vulnerabilities (CVE-2025-52520, CVE-2025-53506) |
| 530287 | WordPress SureForms Plugin: PHP Object Injection Vulnerability (CVE-2025-6742) |
| 530288 | Ivanti Endpoint Manager Mobile (EPMM) OS Command Injection Vulnerabilities (CVE-2025-6770,CVE-2025-6771) |
| 530289 | WordPress Broken Link Notifier Plugin: Server-Side Request Forgery Vulnerability (CVE-2025-6851) |
| 530291 | WordPress HT Contact Form Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7341) |
| 530292 | WordPress HT Contact Form Plugin: Arbitrary File Upload Vulnerability (CVE-2025-7340) |
| 530293 | WordPress HT Contact Form Plugin: Arbitrary File Moving Vulnerability (CVE-2025-7360) |
| 530294 | Moodle Password Caching Vulnerability (CVE-2025-49513) |
| 530295 | Moodle MathJax Cross-Site Scripting (XSS) Vulnerability (CVE-2025-49512) |
| 530296 | Oracle WebLogic Server Multiple Vulnerabilities (CPU-JUL2025) |
| 530297 | JetBrains YouTrack Email Spoofing Vulnerability (CVE-2025-53959) |
| 530298 | LaRecipe Server-Side Template Injection Vulnerability (CVE-2025-53833) |
| 530299 | WordPress Restrict File Access Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-7667) |
| 530300 | WordPress Counter Live Visitors For WooCommerce Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7359) |
| 530301 | Fortinet FortiOS Heap-based Buffer Overflow Vulnerability (CVE-2025-24477) |
| 530303 | WordPress WP Event Manager Plugin: Cross-Site Scripting Vulnerability (CVE-2025-2800) |
| 530304 | WordPress Aapanel WP Toolkit Plugin: Privilege Escalation Vulnerability (CVE-2025-6813) |
| 530305 | WordPress Attachment Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7643) |
| 530306 | Grafana Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-6023) |
| 530307 | Grafana Open Redirect Vulnerability (CVE-2025-6197) |
| 530308 | Fortinet FortiWeb SQL Injection Vulnerability (CVE-2025-25257) |
| 530309 | GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-6948) |
| 530310 | GitLab EE Incorrect Authorization Vulnerability (CVE-2025-6168) |
| 530311 | GitLab EE Incorrect Authorization Vulnerability (CVE-2025-4972) |
| 530312 | GitLab EE Incorrect Authorization Vulnerability (CVE-2025-3396) |
| 530313 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-4979) |
| 530314 | GitLab CE/EE User Interface Misrepresentation Vulnerability (CVE-2024-9163) |
| 530315 | WordPress Integration For Contact Form 7 And Pipedrive Plugin: PHP Object Injection Vulnerability (CVE-2025-7696) |
| 530316 | WordPress Extensions For CF7 Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7645) |
| 530317 | Microsoft SharePoint Server Multiple Vulnerabilities (CVE-2025-53770, CVE-2025-53771) |
| 530318 | GitLab CE/EE GraphQL Information Disclosure Vulnerability (CVE-2025-1110) |
| 530319 | GitLab CE/EE SAML XPath Validation Bypass Vulnerability (CVE-2024-12093) |
| 530320 | GitLab CE/EE Email Address Disclosure Vulnerability (CVE-2025-0679) |
| 530321 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-0993) |
| 530322 | GitLab CE/EE Two-Factor Authentication Bypass Vulnerability (CVE-2025-0605) |
| 530323 | GitLab CE/EE Discord Webhook Denial of Service Vulnerability (CVE-2024-7803) |
| 530324 | WordPress bSecure Plugin: Privilege Escalation Vulnerability (CVE-2025-6187) |
| 530325 | WordPress Nginx Cache Purge Preload Plugin: Remote Code Execution Vulnerability (CVE-2025-6213) |
| 530326 | WordPress Social Streams Plugin: Privilege Escalation Vulnerability (CVE-2025-7722) |
| 530329 | WordPress Integration For Contact Form 7 and Google Sheets Plugin: PHP Object Injection Vulnerability (CVE-2025-7697) |
| 530330 | Dify Code Execution Vulnerability (CVE-2025-3466) |
| 530331 | Apache Jena Path Traversal Vulnerability (CVE-2025-49656) |
| 530332 | XWiki SQL Injection Vulnerability (CVE-2025-32429) |
| 530333 | WordPress Melapress Login Security Plugin: Authentication Bypass Vulnerability (CVE-2025-6895) |
| 530334 | WordPress Dataverse Integration Plugin: Privilege Escalation Vulnerability (CVE-2025-7695) |
| 530335 | Drupal Stage File Proxy Unauthenticated Flooding Vulnerability (CVE-2025-3734) |
| 530336 | Drupal Simple GTM Cross-Site Scripting Vulnerability (CVE-2025-3736) |
| 530337 | Drupal Google Optimize Authentication Bypass Vulnerability (CVE-2025-3738) |
| 530338 | JetBrains TeamCity CSRF Vulnerabilities (CVE-2025-54528,CVE-2025-54529,CVE-2025-54536) |
| 530339 | JetBrains TeamCity Privilege Escalation Vulnerability (CVE-2025-54530) |
| 530340 | JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-54531) |
| 530341 | PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-2533) |
| 530342 | NetAlertX Password Bypass Vulnerability (CVE-2025-48952) |
| 530343 | Drupal Panelizer Cross-Site Request Forgery Vulnerability (CVE-2025-3735) |
| 530344 | Drupal Google Optimize Hide Page Information Disclosure Vulnerability (CVE-2025-3739) |
| 530345 | Drupal Google Maps Store Locator Cross-Site Scripting Vulnerability (CVE-2025-3737) |
| 530346 | NetAlertX Authentication Bypass Vulnerability (CVE-2025-32440) |
| 530348 | JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2025-54532, CVE-2025-54533) |
| 530349 | JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-54534) |
| 530350 | JetBrains TeamCity Weak Hashing Algorithm Vulnerability (CVE-2025-54535) |
| 530351 | Drupal baguetteBox.Js Cross-Site Scripting Vulnerability (CVE-2025-3733) |
| 530352 | NetAlertX Command Injection Vulnerability (CVE-2024-46506) |
| 530353 | JetBrains TeamCity Sensitive Credential Exposure Vulnerabilities (CVE-2025-54537,CVE-2025-54538) |
Qualys Notification: Web Application Detections Published in July 2025