Web Application Detections Published in October 2025
In October, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Prebid.js, Apache HTTP Server, Liferay Portal, Squid, GitLab, Flowise, Apache Airflow, Joomla!, ClipBucket, Adobe (Magento/Connect), XWiki, Zabbix, Jenkins, WordPress, Fortinet (FortiWeb), Progress Telerik, SAP, Apache Kylin, Palo Alto Networks, Oracle, Splunk Enterprise, JetBrains (TeamCity/YouTrack), Tableau, Sitecore, Citrix (NetScaler), PHP-Fusion, Apache Tomcat, Node.js, Spring (MVC), Ruby on Rails, Nginx, ElasticSearch, Prometheus, Mongo Express, Redis, CircleCI, Google, Ansible, Django, AWS and KubePi.
The following table lists the QIDs released in October 2025.
| QID | Title |
|---|---|
| 151069 | Prebid.js Supply Chain Compromised Release Vulnerability (CVE-2025-59038) |
| 520074 | Apache HTTP Server Multiple Vulnerabilities (CVE-2024-38476) |
| 520075 | Liferay Portal Open Membership Default Vulnerability (CVE-2025-43797) |
| 520076 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43800) |
| 520077 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43815) |
| 520078 | Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-43818) |
| 520082 | Squid Information Disclosure Vulnerability (CVE-2025-62168) |
| 530520 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-9642) |
| 530521 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-10858) |
| 530522 | Flowise Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-59527) |
| 530523 | Flowise Remote Code Execution (RCE) Vulnerability (CVE-2025-59528) |
| 530524 | Apache Airflow Connection Sensitive Details Exposure Vulnerability (CVE-2025-54831) |
| 530525 | Joomla! Core Cross-Site Scripting Vulnerability (CVE-2024-40748) |
| 530526 | ClipBucket V5 Arbitrary File Upload Vulnerability (CVE-2025-55912) |
| 530527 | Adobe Magento Multiple Vulnerabilities (APSB21-30) |
| 530528 | WordPress Media Player Addons for Elementor Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-9203) |
| 530529 | Adobe Magento Multiple Vulnerabilities (APSB22-48) |
| 530530 | XWiki Password Hash Exposure Vulnerability (CVE-2025-54124) |
| 530531 | Zabbix Second-Order SQL Injection Vulnerability (CVE-2025-27240) |
| 530532 | Jenkins Log Message Injection Vulnerability (CVE-2025-59476) |
| 530533 | WordPress Blocksy Companion Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-9565) |
| 530534 | WordPress Ocean Extra Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-9499) |
| 530535 | Adobe Magento Multiple Vulnerabilities (APSB22-38) |
| 530536 | FortiWeb Authentication Bypass Vulnerability (CVE-2025-52970) |
| 530537 | Adobe Magento Improper Input Validation Vulnerabilities (CVE-2022-24086,CVE-2022-24087) |
| 530538 | Adobe Magento Multiple Vulnerabilities (APSB23-17) |
| 530539 | WordPress Advanced Views (acf-views) Plugin: Server-Side Template Injection Vulnerability (CVE-2025-10380) |
| 530540 | WordPress Appointment Booking Calendar Plugin: Template Injection Vulnerability (CVE-2024-7129) |
| 530541 | Jenkins Missing Authorization Vulnerability (CVE-2025-59474) |
| 530542 | Jenkins Missing Authorization Vulnerability (CVE-2025-59475) |
| 530543 | Adobe Magento Multiple Vulnerabilities (APSB23-35) |
| 530544 | Progress Telerik Report Server Deserialization Vulnerability (CVE-2024-1800) |
| 530545 | SAP NetWeaver Insecure Deserialization Vulnerability (CVE-2025-42944) |
| 530546 | Apache Kylin Unrestricted File Read Vulnerability (CVE-2025-61734) |
| 530547 | WordPress StoreEngine Plugin: Arbitrary File Upload Vulnerability (CVE-2025-9216) |
| 530548 | WordPress SureForms Plugin: Cross-Site Scripting Vulnerability (CVE-2025-8282) |
| 530549 | Apache Kylin Server-Side Request Forgery Vulnerability (CVE-2025-61735) |
| 530550 | Apache Kylin Authentication Bypass Vulnerability (CVE-2025-61733) |
| 530551 | Palo Alto Networks PAN-OS Command Injection Vulnerability (CVE-2024-3400) (Intrusive Check) |
| 530552 | Adobe Magento Improper Input Validation Vulnerabilities |
| 530553 | Adobe Magento Cross-Site Request Forgery Vulnerability (CVE-2021-39864) |
| 530554 | Splunk Enterprise Improper Access Control Vulnerability (CVE-2025-20366) |
| 530555 | Splunk Enterprise Cross-site Scripting (XSS) Vulnerabilities (CVE-2025-20367 |
| 530556 | JetBrains TeamCity Project Isolation Bypass Vulnerability (CVE-2025-59455) |
| 530557 | JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-59456) |
| 530558 | JetBrains TeamCity Credential Exposure via Git URL Handling Vulnerability (CVE-2025-59457) |
| 530559 | Adobe Magento Improper Input Validation Vulnerability (CVE-2025-54236) |
| 530560 | WordPress Copypress Rest API Plugin: Remote Code Execution Vulnerability (CVE-2025-8625) |
| 530561 | WordPress LatePoint Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-7052) |
| 530562 | Adobe Magento Multiple Security Vulnerabilities |
| 530563 | Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2019-8139,CVE-2025-20368) |
| 530564 | SAP S/4HANA Code Injection Vulnerability (CVE-2025-42957) |
| 530565 | WordPress LatePoint Plugin: Authentication Bypass Vulnerability (CVE-2025-7038) |
| 530566 | Adobe Magento Multiple Security Vulnerabilities |
| 530567 | Adobe Magento Multiple Security Vulnerabilities |
| 530568 | Adobe Magento Multiple Security Vulnerabilities |
| 530569 | Adobe Magento Multiple Security Vulnerabilities |
| 530570 | WordPress WP Statistics Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-9816) |
| 530571 | Oracle E-Business Suite Remote Code Execution (RCE) Vulnerability (CVE-2025-61882) |
| 530572 | WordPress Qyrr Plugin: Arbitrary File Upload Vulnerability (CVE-2025-10000) |
| 530573 | WordPress Post By Email Plugin: Arbitrary File Upload Vulnerability (CVE-2025-9762) |
| 530575 | GitLab EE Incorrect Authorization Vulnerability (CVE-2025-11340) |
| 530576 | Fortinet FortiOS Heap-based Buffer Overflow Vulnerability (CVE-2025-57740) |
| 530577 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-10004) |
| 530578 | Flowise Remote Code Execution (RCE) Vulnerability (CVE-2025-34267) |
| 530579 | Flowise Arbitrary File Read/Write Vulnerability (CVE-2025-61913) |
| 530580 | GitLab CE/EE Missing Authorization Vulnerability (CVE-2025-9825) |
| 530581 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-2934) |
| 530582 | WordPress Nexa Blocks Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-8624) |
| 530583 | WordPress Mihdan Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-8608) |
| 530584 | WordPress All in One Music Player Plugin: Path Traversal Vulnerability (CVE-2025-8559) |
| 530585 | WordPress Yoga Schedule Momoyoga Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-9852) |
| 530586 | Oracle WebLogic Server Multiple Vulnerabilities (CPU-OCT2025) |
| 530587 | Adobe Magento Incorrect Authorization Vulnerabilities (CVE-2025-54263,CVE-2025-54265,CVE-2025-54267) |
| 530588 | Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2025-54264,CVE-2025-54266) |
| 530589 | Zimbra Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-62763) |
| 530590 | Adobe Connect Cross-site Scripting Vulnerabilities (CVE-2025-49552,CVE-2025-49553) |
| 530591 | Adobe Connect Open Redirect Vulnerability (CVE-2025-54196) |
| 530593 | XWiki Path Traversal Vulnerability (CVE-2025-55747) |
| 530594 | WordPress Pie Register Plugin: Authentication Bypass Vulnerability (CVE-2025-34077) |
| 530595 | WordPress Any News Ticker Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-10168) |
| 530596 | WordPress My AskAI Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-10179) |
| 530597 | WordPress LatePoint Plugin: Stored Cross-Site Scripting Vulnerabilities (CVE-2025-6941,CVE-2025-6815) |
| 530598 | WordPress GutenBee Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-8566) |
| 530599 | WordPress OAuth SSO Plugin: Improper Verification of Cryptographic Signature Vulnerability (CVE-2025-9485) |
| 530601 | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-61884) |
| 530602 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-11042) |
| 530603 | Apache Tomcat Relative Path Traversal vulnerability (CVE-2025-55752) |
| 530604 | GitLab EE Privilege Escalation Vulnerability (CVE-2025-7691) |
| 530605 | GitLab EE Improper Authorization Vulnerability (CVE-2025-10871) |
| 530606 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-8014) |
| 580858 | XML Internal Entity Vulnerability |
| 580860 | Authentication Bypass via Staging Login URLs |
| 580862 | Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646) |
| 580863 | PHP-Fusion Remote Code Execution Vulnerability (CVE-2020-24949) |
| 580864 | Apache Tomcat Cross-site Scripting Vulnerability (CVE-2019-0221) |
| 580865 | CAPTCHA Bypass via HTTP Header Manipulation |
| 580866 | Local File Inclusion in User-Agent Header (Linux) |
| 580867 | Local File Inclusion in User-Agent Header (Windows) |
| 580868 | Local File Inclusion in Referer Header (Linux) |
| 580869 | Local File Inclusion in Referer Header (Windows) |
| 580870 | Node.js Local File Inclusion (LFI) Vulnerability |
| 580871 | Spring MVC Local File Inclusion Vulnerability |
| 580872 | Ruby On Rails Local File Inclusion Vulnerability |
| 580874 | Apache Server Status Exposure |
| 580875 | Information Disclosure via Response Headers |
| 580876 | Rails Debug Mode Enabled |
| 580877 | Zookeeper APIs Exposed |
| 580878 | Wgetrc Configuration File Exposure |
| 580879 | Mongo Express Unauthenticated Access |
| 580880 | Source Code Disclosure via WEB-INF |
| 580881 | Redis Configuration File Exposure |
| 580882 | Prometheus Debug Exposed |
| 580883 | Parameters.yml File Disclosed |
| 580884 | Bypass Deposit Validation for Orders and Pre-Orders |
Qualys Notification: Web Application Detections Published in October 2025