Application Security Detections Published in March 2026
In March, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Underscore.js, Angular, Next.js, Atlassian, ClipBucket, OpenSSL, Nginx, WordPress, JetBrains, DNN, Drupal, Gradio, GitLab, Grafana, Keycloak, Apache Tomcat, Omnissa, Strapi, Apache Ranger, Microsoft SharePoint, F5, Craft CMS, Langflow, Apache Superset, Apache Spark, Apache Camel, Zimbra, Apache Airflow, Hoverfly, EasyCVR, Glances
Details about the following QIDs can be found in our knowledge base. Please review the reports for the scanned applications associated with these detections and, if any are identified, follow the steps in the Knowledge Base to ensure the applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If left unaddressed, these vulnerabilities can pose security risks, including breaches, unauthorized access, and various malicious activities.
The following table lists the QIDs released in March 2026.
| QID | Title |
| QID | Title |
| 151081 | Underscore.js Denial of Service (DOS) Vulnerability (CVE-2026-27601) |
| 151082 | Angular Cross-Site Scripting (XSS) Vulnerability (CVE-2026-22610) |
| 151083 | Angular Cross-Site Scripting (XSS) Vulnerability (CVE-2026-27970) |
| 151084 | Angular Cross-Site Scripting (XSS) Vulnerability (CVE-2026-32635) |
| 151085 | Next.js HTTP Request Smuggling Vulnerability (CVE-2026-29057) |
| 151086 | Next.js Uncontrolled Resource Consumption Vulnerability (CVE-2026-27980) |
| 151087 | Next.js Potential Denial of Service Vulnerability (CVE-2026-27979) |
| 151088 | Next.js React Server Components (RSC) Denial of Service (DoS) Vulnerability (CVE-2026-23864) |
| 520116 | EOL/Obsolete Software: Atlassian Confluence 5.x Detected |
| 520117 | EOL/Obsolete Software: Atlassian Confluence 6.x Detected |
| 520118 | ClipBucket V5 Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2026-28354) |
| 520119 | EOL/Obsolete Software: Atlassian Confluence 7.x Detected |
| 520120 | EOL/Obsolete Software: Atlassian Confluence 8.x Detected |
| 520121 | OpenSSL CBC Timing Side-Channel Plaintext Recovery Vulnerability (CVE-2013-0169) (Lucky Thirteen) |
| 520122 | Atlassian Bamboo Data Center Remote Code Execution (RCE) Vulnerability (CVE-2026-21570) |
| 520123 | Nginx ngx_http_dav_module Buffer Overflow Vulnerability (CVE-2026-27654) |
| 520124 | Nginx ngx_http_mp4_module Buffer Overflow Vulnerabilities (CVE-2026-27784,CVE-2026-32647) |
| 520125 | Nginx ngx_mail_auth_http_module NULL Pointer Dereference Vulnerability (CVE-2026-27651) |
| 520126 | NGINX ngx_mail_smtp_module CRLF Injection Vulnerability (CVE-2026-28753) |
| 520127 | NGINX ngx_stream_ssl_module OCSP Revocation Bypass Vulnerability (CVE-2026-28755) |
| 520128 | NGINX SSL/TLS Upstream Injection Vulnerability (CVE-2026-1642) |
| 530979 | WordPress S2Member Plugin: Privilege Escalation Vulnerability (CVE-2026-1994) |
| 530980 | WordPress Clasifico Listing Plugin: Privilege Escalation Vulnerability (CVE-2025-12882) |
| 530981 | WordPress Prodigy Commerce Plugin: Local File Inclusion Vulnerability (CVE-2026-0926) |
| 530982 | JetBrains TeamCity Open redirect Vulnerability (CVE-2026-28194) |
| 530983 | JetBrains TeamCity Missing Authorization Vulnerability (CVE-2026-28195) |
| 530984 | JetBrains TeamCity Residual Credential File Vulnerability (CVE-2026-28196) |
| 530985 | WordPress WP Maps Plugin: Local File Inclusion Vulnerability (CVE-2025-12062) |
| 530986 | WordPress WooCommerce Ajax Filter Plugin: PHP Object Injection Vulnerability (CVE-2026-1426) |
| 530987 | WordPress ShopLentor Plugin: Email Relay Abuse Vulnerability (CVE-2026-1714) |
| 530988 | WordPress Tablesome Plugin: Information Exposure Vulnerability (CVE-2025-12845) |
| 530989 | DNN Stored Cross-Site Scripting Vulnerabilities (CVE-2026-24838, CVE-2026-24833) |
| 530990 | DNN Stored Cross-Site Scripting Vulnerabilities (CVE-2026-24837, CVE-2026-24836, CVE-2026-24784) |
| 530991 | DNN Arbitrary File Upload Vulnerabilities (CVE-2025-64095, CVE-2025-62802) |
| 530992 | WordPress Piotnet Addons Plugin: Cross-site Scripting (XSS) Vulnerability (CVE-2024-33630) |
| 530993 | WordPress NewsBlogger Theme: Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-12821) |
| 530994 | WordPress Orderable Plugin: Missing Authorization Vulnerability (CVE-2026-0974) |
| 530995 | PHAR Stream Wrapper Injection Possible |
| 530996 | WordPress Toret Manager Plugin: Missing Authorization Vulnerability (CVE-2026-0912) |
| 530997 | WordPress WP AUDIO GALLERY Plugin: Missing Authorization Vulnerability (CVE-2025-13603) |
| 530998 | WordPress Responsive Lightbox Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-15386) |
| 530999 | WordPress Magic Login Mail Plugin: Privilege Escalation Vulnerability (CVE-2026-2144) |
| 531000 | Drupal Login Time Restriction Module: Cross Site Request Forgery (CSRF) Vulnerability (CVE-2025-13982) |
| 531001 | Gradio Server-Side Request Forgery Vulnerability (CVE-2026-28416) |
| 531002 | Gradio Path Traversal Vulnerability (CVE-2026-28414) |
| 531003 | Gradio Open Redirect Vulnerability (CVE-2026-28415) |
| 531004 | Gradio Server Credentials Exposed and Use of Hardcoded Session Secret Vulnerability (CVE-2026-27167) |
| 531007 | EOL/Obsolete Software: GitLab CE/EE Detected |
| 531008 | EOL/Obsolete Software: Grafana Detected |
| 531009 | WordPress Soledad Theme: Local File Inclusion Vulnerability (CVE-2025-68066) |
| 531010 | Keycloak Broken Access Control Vulnerability (CVE-2024-3656) |
| 531011 | Keycloak Authorization Bypass Vulnerability (CVE-2017-12160) |
| 531012 | WordPress Stockholm Core Plugin: Local File Inclusion Vulnerability (CVE-2025-68067) |
| 531013 | WordPress Sneeit Framework Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2025-6389) |
| 531014 | WordPress Download Manager Plugin: PHAR Deserialization Vulnerability (CVE-2022-2436) |
| 531015 | DNN Stored Cross-Site Scripting Vulnerability (CVE-2025-64094) |
| 531016 | Apache Tomcat Race Condition Vulnerability (CVE-2018-8037) |
| 531017 | DNN Cross-Site Scripting Vulnerabilities |
| 531018 | Omnissa Workspace ONE UEM Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-25229) |
| 531019 | Omnissa Workspace ONE UEM Secondary Context Path Traversal Vulnerability (CVE-2025-25231) |
| 531020 | WordPress Themify Multiple Themes: Arbitrary File Upload Vulnerability (CVE-2025-30996) |
| 531021 | WordPress User Registration Plugin: Privilege Escalation Vulnerability (CVE-2026-1492) |
| 531022 | WordPress Modular DS Plugin: Privilege Escalation Vulnerability (CVE-2026-23800) |
| 531023 | DNN Insufficient Filename Sanitization Vulnerability (CVE-2025-59547) |
| 531024 | DNN Arbitrary Theme Loading Vulnerability (CVE-2025-59535) |
| 531026 | Omnissa Workspace ONE UEM Server-Side Request Forgery (SSRF) Vulnerability (CVE-2021-22054) |
| 531027 | WordPress SiteOrigin Panels Plugin: Local File Inclusion Vulnerability (CVE-2026-2448) |
| 531028 | WordPress Master Addons Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2026-3132) |
| 531029 | DNN Login IP Filter Bypass Vulnerability (CVE-2025-52487) |
| 531030 | DNN Cross-Site Scripting Vulnerabilities (CVE-2025-52486, CVE-2025-52485) |
| 531031 | Strapi CMS Insufficient Session Expiration Vulnerability (CVE-2025-3930) |
| 531032 | Strapi CMS CORS Misconfiguration Vulnerability (CVE-2025-53092) |
| 531033 | Strapi CMS Weak Password Validation Vulnerability (CVE-2025-25298) |
| 531034 | Strapi CMS Authorization Bypass Vulnerability (CVE-2024-56143) |
| 531035 | Apache Ranger Remote Code Execution Vulnerability (CVE-2025-59059) |
| 531036 | Strapi CMS Server Side Request Forgery (SSRF) Vulnerability (CVE-2024-52588) |
| 531037 | Strapi CMS Authentication Bypass Vulnerability (CVE-2024-34065) |
| 531038 | WordPress Pojo Accessibility Plugin: SQL Injection Vulnerability (CVE-2026-2413) |
| 531039 | WordPress Login With Azure Plugin: Authentication Bypass Vulnerability (CVE-2026-2628) |
| 531040 | WordPress Tutor LMS Plugin: SQL Injection Vulnerability (CVE-2025-13673) |
| 531041 | Microsoft SharePoint Remote Code Execution (RCE) Vulnerability (CVE-2026-20963) |
| 531042 | F5 BIG-IP HTTP/2 Denial of Service (DoS) Vulnerability (CVE-2025-54500) |
| 531043 | Craft CMS Privilege Escalation Vulnerability (CVE-2026-32267) |
| 531044 | Langflow Remote Code Execution Vulnerability (CVE-2026-33017) |
| 531045 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2026-32264) |
| 531046 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2026-32263) |
| 531047 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2026-25498) |
| 531048 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2025-68455) |
| 531049 | Apache Superset Improper Input Validation Vulnerability (CVE-2026-23984) |
| 531050 | Apache Superset Sensitive Data Exposure Vulnerability (CVE-2026-23983) |
| 531051 | Apache Superset SQL Injection Vulnerability (CVE-2026-23980) |
| 531052 | Apache Superset Sensitive Information Exposure Vulnerability (CVE-2026-23969) |
| 531053 | Craft CMS Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-27127) |
| 531054 | WordPress Nutrie Theme: Arbitrary File Upload Vulnerability (CVE-2025-68555) |
| 531055 | WordPress Classter Theme: PHP Object Injection Vulnerability (CVE-2025-54001) |
| 531056 | Apache Spark Code Execution Vulnerability (CVE-2025-54920) |
| 531057 | WordPress Charety Theme: Arbitrary File Upload Vulnerability (CVE-2026-24960) |
| 531058 | WordPress Pets Club Theme: PHP Object Injection Vulnerability (CVE-2026-22453) |
| 531059 | WordPress Keenarch Theme: Arbitrary File Upload Vulnerability (CVE-2025-68554) |
| 531060 | Apache Camel Insecure Deserialization Vulnerability (CVE-2026-25747) |
| 531061 | Zimbra Cross-Site Scripting (XSS) Vulnerabilities (CVE-2026-33368, CVE-2026-33370) |
| 531062 | Zimbra LDAP Injection Vulnerability (CVE-2026-33369) |
| 531063 | Zimbra XML External Entity (XXE) Vulnerability (CVE-2026-33371) |
| 531064 | Zimbra Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2026-33372) |
| 531069 | Apache Airflow Code Execution Vulnerability (CVE-2024-56373) |
| 531070 | Apache Airflow Sensitive Value Exposure Vulnerability (CVE-2025-27555) |
| 531071 | Apache Airflow Missing Authorization Vulnerability (CVE-2026-30911) |
| 580930 | Weak Credentials |
| 580931 | API Authentication Endpoint Without Rate Limiting |
| 580932 | Hoverfly Command Injection Vulnerability (CVE-2025-54123) |
| 580933 | EasyCVR Information Exposure Vulnerability |
| 580934 | Username Enumeration via API Login Endpoint |
| 580935 | OAuth Credentials File Exposure |
| 580936 | HTTP Verb Tampering |
| 580937 | Grafana Default Login |
| 580939 | OTP Disclosure in API Response |
| 580940 | Glances Unauthenticated API Exposure (CVE-2026-32596) |
| 580941 | OTP Endpoint Without Rate Limiting |
| 580942 | Empty OTP Bypass Vulnerability |
| 580943 | OTP Bypass via Missing OTP Parameter |
Qualys Notification: Application Security Detections Published in March 2026