Web Application Detections Published in November 2025
In November, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
jQuery, WordPress, Liferay Portal, SAP, GitLab, FreePBX, Authentik, Atlassian Confluence, Ivanti, Grafana, Progress MOVEit, Drupal, Hashicorp Vault, Control Web Panel (CWP), SuiteCRM, NVIDIA, Open WebUI, WSO2, Fortinet, Adobe Magento, Apache Tomcat, Apache OFBiz, NetScaler, ClipBucket, Oracle, Google, Fluent Bit, Apache Causeway, Rails and Better Auth
Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If left unaddressed, these vulnerabilities can pose significant security risks, including breaches, unauthorized access, and various malicious activities.
The following table lists the QIDs released in November 2025.
| QID | Title |
|---|---|
| 151070 | EOL/Obsolete Library: jQuery 1.X Library Detected |
| 151071 | EOL/Obsolete Library: jQuery 2.X Library Detected |
| 154180 | EOL/Obsolete Software: WordPress 0.7x Detected |
| 154181 | EOL/Obsolete Software: WordPress 1.x Detected |
| 154182 | EOL/Obsolete Software: WordPress 3.x Detected |
| 154183 | EOL/Obsolete Software: WordPress 4.x Detected |
| 154184 | EOL/Obsolete Software: WordPress 5.x Detected |
| 154185 | EOL/Obsolete Software: WordPress 6.x Detected |
| 154186 | EOL/Obsolete Software: WordPress 2.x Detected |
| 520075 | Liferay Portal Open Membership Default Vulnerability (CVE-2025-43797) |
| 520076 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43800) |
| 520077 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43815) |
| 520078 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43818) |
| 520080 | Liferay Portal Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2025-43811) |
| 520081 | Liferay Portal Multiple Vulnerabilities (CVE-2025-43813) |
| 530564 | SAP S/4HANA Code Injection Vulnerability (CVE-2025-42957) |
| 530574 | WordPress Bei Fen Plugin: Local File Inclusion Vulnerability (CVE-2025-9993) |
| 530600 | HTTP/1.0 Protocol Downgrade Accepted |
| 530607 | WordPress AffiliateWP Plugin: SQL Injection Vulnerability (CVE-2025-8877) |
| 530608 | WordPress Spirit Framework Talemy Theme: Authentication Bypass Vulnerability (CVE-2025-6388) |
| 530609 | WordPress Pack Elementor Addon Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-8214) |
| 530610 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-9958) |
| 530611 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-10867) |
| 530612 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-10868) |
| 530613 | WordPress Cost Calculator Builder Plugin: Missing Authorization Vulnerability (CVE-2025-9243) |
| 530614 | WordPress StoreEngine Plugin: Path Traversal Vulnerability (CVE-2025-9215) |
| 530615 | WordPress LockerPress Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-9946) |
| 530616 | WordPress WP Database Backup Plugin: OS Command Injection Vulnerability (CVE-2019-25224) |
| 530617 | WordPress Big Post Shipping for WooCommerce plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-10191) |
| 530618 | WordPress Core: Information Disclosure Vulnerability (CVE-2025-54352) |
| 530619 | FreePBX Remote Code Execution Vulnerability (CVE-2025-57819) |
| 530620 | Authentik Session Fixation Vulnerability (CVE-2025-29928) |
| 530621 | Atlassian Confluence Data Center and Server Denial of Service Vulnerability (CVE-2025-22166) |
| 530622 | Ivanti Endpoint Manager Mobile (EPMM) OS Command Injection Vulnerabilities (CVE-2025-10242,CVE-2025-10243,CVE-2025-10985) |
| 530623 | Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability (CVE-2025-10986) |
| 530624 | Grafana Improper Input Validation Vulnerability (CVE-2025-1088) |
| 530625 | Authentik Improper Privilege Management Vulnerability (CVE-2025-53942) |
| 530626 | Authentik Improper Access Control Vulnerability (CVE-2024-38371) |
| 530627 | Authentik OAuth2 Provider Improper Redirect URI Validation (CVE-2024-52289) |
| 530628 | WordPress Core: Stored Cross-Site Scripting Vulnerability (CVE-2024-31111) |
| 530629 | Progress MOVEit Transfer Uncontrolled Resource Consumption Vulnerability (CVE-2025-10932) |
| 530630 | Drupal Acquia DAM: Access Bypass Vulnerability (CVE-2025-9954) |
| 530631 | Hashicorp Vault Denial Of Service Vulnerability (CVE-2025-12044) |
| 530632 | Drupal CivicTheme: Information Disclosure Vulnerability (CVE-2025-12082) |
| 530633 | WordPress AI Engine Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-11749) |
| 530634 | Hashicorp Vault Authentication Bypass Vulnerability (CVE-2025-11621) |
| 530635 | Control Web Panel (CWP) Remote Code Execution (RCE) Vulnerability (CVE-2025-48703) |
| 530636 | WordPress Gravity Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2025-12352) |
| 530637 | WordPress Better Find and Replace Plugin: Limited Code Injection Vulnerability (CVE-2025-9334) |
| 530638 | WordPress Smart Auto Upload Images Plugin: Arbitrary File Upload Vulnerability (CVE-2025-12161) |
| 530639 | SuiteCRM SQL Injection Vulnerability (CVE-2025-64492) |
| 530642 | Ivanti Endpoint Manager (EPM) Arbitrary File Write Vulnerability (CVE-2025-10918) |
| 530643 | SuiteCRM SQL Injection Vulnerability (CVE-2025-64488) |
| 530644 | Ivanti Endpoint Manager (EPM) Remote Code Execution (RCE) Vulnerability (CVE-2025-9713) |
| 530645 | Ivanti Endpoint Manager (EPM) Insecure Deserialization Vulnerability (CVE-2025-11622) |
| 530646 | SuiteCRM Privilege Escalation Vulnerability (CVE-2025-64489) |
| 530647 | NVIDIA Triton Inference Server Stack Overflow Vulnerability (CVE-2025-33202) |
| 530648 | SuiteCRM Access Control Bypass Vulnerability (CVE-2025-64490) |
| 530649 | SuiteCRM SQL Injection Vulnerability (CVE-2025-64493) |
| 530650 | SuiteCRM Cross-Site Scripting Vulnerability (CVE-2025-64491) |
| 530653 | Open WebUI Cross-Site Scripting Vulnerability (CVE-2025-64495) |
| 530654 | WSO2 API Manager Improper Privilege Management Vulnerability (CVE-2025-9152) |
| 530655 | Fortinet FortiWeb Authentication Bypass Vulnerability (CVE-2025-64446) |
| 530656 | WordPress Holiday class post calendar Plugin: Remote Code Execution Vulnerability (CVE-2025-12813) |
| 530657 | WordPress TNC Toolbox Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-12539) |
| 530659 | Adobe Magento OS Command Injection Vulnerabilities (CVE-2024-39401,CVE-2024-39402) |
| 530660 | WordPress Selling Commander for WooCommerce Plugin: Privilege Escalation Vulnerability (CVE-2025-60243) |
| 530661 | WordPress WP User Manager Plugin: PHP Object Injection Vulnerability (CVE-2025-60245) |
| 530662 | Adobe Magento Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2024-39398) |
| 530663 | WordPress Community Events Plugin: SQL Injection Vulnerability (CVE-2025-10586) |
| 530664 | Adobe Magento Path Traversal Vulnerability (CVE-2024-39399) |
| 530665 | Adobe Magento Cross-site Scripting Vulnerabilities (CVE-2024-39400,CVE-2024-39403) |
| 530666 | Adobe Magento Path Traversal Vulnerability (CVE-2024-39406) |
| 530667 | Adobe Magento Improper Authorization Vulnerabilities |
| 530669 | WordPress Ovatheme Events Manager Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6553) |
| 530670 | WordPress WP Freeio Plugin: Privilege Escalation Vulnerability (CVE-2025-11533) |
| 530671 | WordPress W3 Total Cache Plugin: Command Injection Vulnerability (CVE-2025-9501) |
| 530672 | Apache Tomcat Default Credentials |
| 530673 | Apache OFBiz Unrestricted File Upload Vulnerability (CVE-2025-59118) |
| 530674 | Apache OFBiz Cross-Site Scripting Vulnerability (CVE-2025-61623) |
| 530675 | Grafana Incorrect Privilege Assignment Vulnerability (CVE-2025-41115) |
| 530676 | NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Cross-Site Scripting (XSS) Vulnerability (CVE-2025-12101) |
| 530677 | WordPress IDonate Plugin: Account Takeover Vulnerability (CVE-2025-4519) |
| 530678 | WordPress LC Wizard Plugin: Privilege Escalation Vulnerability (CVE-2025-5483) |
| 530680 | ClipBucket V5 Cross-Site Scripting Vulnerabilities (CVE-2025-64336,CVE-2025-64339) |
| 530683 | WordPress Blocksy Companion Plugin: Arbitrary File Upload Vulnerability (CVE-2025-12846) |
| 530684 | WordPress Tatsu Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2021-25094) |
| 530685 | Oracle Identity Manager Authentication Bypass Vulnerability (CVE-2025-61757) |
| 530686 | Google Tracking Detected |
| 530687 | Fluent Bit Stack Buffer Overflow Vulnerability (CVE-2025-12970) |
| 530688 | Fluent Bit Improper Input Validation Vulnerability (CVE-2025-12977) |
| 530689 | Apache Causeway Insecure Java Deserialization Vulnerability (CVE-2025-64408) |
| 530690 | Default Home Page for Rails Web Server Found |
| 530691 | Fluent Bit Path Traversal Vulnerability (CVE-2025-12972) |
| 530692 | Fluent Bit Log Tag Spoofing Vulnerability (CVE-2025-12978) |
| 530693 | Fluent Bit Authentication Bypass Vulnerability (CVE-2025-12969) |
| 530694 | GitLab EE Incorrect Authorization Vulnerability (CVE-2025-11865) |
| 530695 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-11224) |
| 530696 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-7000) |
| 580801 | IDOR via POST Request Body |
| 580885 | BFLA – Vertical Privilege Escalation via URL Subpath Replacement |
| 580886 | API Keys Exposed in Public JavaScript Config Files |
| 580887 | Sitecore Version Disclosure |
| 580888 | SSH Private Key (id_rsa) Exposed |
| 580889 | SSH known_hosts File Exposure |
| 580890 | Unauthenticated API Key Creation |
| 580891 | Better Auth Account Takeover via Unauthenticated API Key Creation (CVE-2025-61928) |
| 580892 | NoSQL Injection |
| 580893 | Timestamp Disclosure – Unix |
| 580894 | Drupal JSON API Username Listing Endpoint Exposure |
| 580895 | FTP Credentials Exposure |
Qualys Notification: Web Application Detections Published in November 2025