Web Application Detections Published in September 2025

In September, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:

Next.js, Adobe (Magento/ColdFusion), JetBrains (TeamCity/YouTrack), MLflow, NetScaler, FoxCMS, Craft CMS, GitHub (Enterprise Server), Jenkins, Sitecore, SAP (NetWeaver), Tableau, Ivanti (Connect Secure / EPM), WordPress, Oracle (Access Manager / WebLogic), SolarWinds, Fortra (GoAnywhere), GitLab, Grafana, Apache, Ansible, CircleCI, Django, ElasticSearch, Nginx, Google, KubePi and AWS

Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.

The following table lists the QIDs released in September 2025.

QID Title
151068 Next.js Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-57822)
530436 Adobe Magento Incorrect Authorization Vulnerability (CVE-2020-24401)
530437 Adobe Magento Incorrect Permissions Vulnerability (CVE-2020-24404)
530438 JetBrains TeamCity Privilege Escalation Vulnerability (CVE-2025-57732)
530439 JetBrains TeamCity SMTP Injection Vulnerability (CVE-2025-57733)
530440 JetBrains TeamCity AWS Credential Exposure Vulnerability (CVE-2025-57734)
530441 Adobe Magento Cross-Site Scripting Vulnerability (CVE-2020-24408)
530442 Adobe Magento Incorrect Permissions Vulnerabilities (CVE-2020-24403,CVE-2020-24405)
530443 Adobe Magento Information Disclosure Vulnerability (CVE-2020-24406)
530444 MLflow Path Traversal Vulnerability (CVE-2023-2356)
530445 NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Memory Overflow Vulnerabilities (CVE-2025-7775,CVE-2025-7776)
530446 NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Improper Access Control Vulnerability (CVE-2025-8424)
530447 FoxCMS Reflected Cross Site Scripting (XSS) Vulnerability (CVE-2025-55422)
530448 Adobe Magento Business Logic Error Vulnerability (CVE-2021-36012)
530449 Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2021-36026,CVE-2021-36027)
530450 Adobe Magento Improper Access Control Vulnerability (CVE-2021-36036)
530451 Adobe Magento Improper Authorization Vulnerability (CVE-2021-36029)
530452 Adobe Magento Improper Authorization Vulnerability (CVE-2021-36037)
530453 CraftCMS Freeform Server-side template injection (SSTI) Vulnerability (CVE-2025-52122)
530454 Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2021-36043)
530455 Adobe Magento Path Traversal Vulnerability (CVE-2021-36031)
530456 Adobe Magento XML Injection Vulnerabilities (CVE-2021-36022,CVE-2021-36023)
530457 Adobe Magento OS Command Injection Vulnerability (CVE-2021-36024)
530458 Adobe Magento XML Injection Vulnerabilities (CVE-2021-36020,CVE-2021-36028,CVE-2021-36033)
530460 Craft CMS Remote Command Execution Vulnerability (CVE-2025-54417)
530461 GitHub Enterprise Server Server-Side Request Forgery Vulnerability (CVE-2024-3684)
530462 Jenkins Statistics Gatherer Plugin AWS Secret Key Exposure Vulnerabilities (CVE-2025-53654,CVE-2025-53655)
530463 Jenkins ReadyAPI Functional Testing Plugin Information Disclosure Vulnerabilities (CVE-2025-53656,CVE-2025-53657)
530466 Adobe Magento XML Injection Vulnerability (CVE-2023-38207)
530467 Adobe Magento OS Command Injection Vulnerability (CVE-2023-38208)
530468 Adobe Magento Incorrect Authorization Vulnerability (CVE-2023-38209)
530469 Adobe Magento OS Command Injection Vulnerabilities (CVE-2021-21015,CVE-2021-21016,CVE-2021-21018)
530470 Adobe Magento SQL Injection Vulnerability (CVE-2021-21024)
530471 Adobe Magento XML Injection Vulnerabilities (CVE-2021-21019,CVE-2021-21025)
530472 JetBrains YouTrack Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-57731)
530473 Sitecore Experience Platform (XP) Insecure Deserialization Vulnerability (CVE-2025-53690)
530474 SAP NetWeaver AS Java Insecure File Operations Vulnerability (CVE-2025-42922)
530475 Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2021-21023,CVE-2021-21029,CVE-2021-21030)
530476 Tableau Server Authorization Bypass Vulnerabilities (CVE-2025-52446,CVE-2025-52447,CVE-2025-52448)
530477 Tableau Server Unrestricted File Upload Vulnerability (CVE-2025-52449)
530478 Tableau Server Path Traversal Vulnerability (CVE-2025-52452)
530479 Tableau Server Server-Side Request Forgery (SSRF) Vulnerabilities (CVE-2025-52453,CVE-2025-52454,CVE-2025-52455)
530480 Adobe Magento Access Control Bypass Vulnerability (CVE-2021-21020)
530481 Ivanti Connect Secure (ICS) Missing Authorization Vulnerabilities
530482 Ivanti Connect Secure (ICS) Cross-Site Request Forgery (CSRF) Vulnerabilities (CVE-2025-8711,CVE-2025-55147)
530483 Ivanti Connect Secure (ICS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-55139)
530484 Adobe Magento File Upload Restriction Bypass Vulnerability (CVE-2021-21014)
530485 WordPress Eventin Plugin: Privilege Escalation Vulnerability (CVE-2025-4796)
530486 Adobe Magento Insecure Direct Object Reference Vulnerabilities (CVE-2021-21012,CVE-2021-21013,CVE-2021-21022)
530487 WordPress Post SMTP Plugin: Account Takeover Vulnerability (CVE-2025-24000)
530488 Adobe Magento Improper Authorization Vulnerability (CVE-2021-21026)
530489 Adobe Magento Cross-Site Request Forgery Vulnerability (CVE-2021-21027)
530490 Adobe Magento Insufficient Validation of User Session Vulnerabilities (CVE-2021-21031,CVE-2021-21032)
530491 Flowise Password Reset Token Disclosure Vulnerability (CVE-2025-58434)
530492 Ivanti Connect Secure (ICS) Reflected Text Injection Vulnerability (CVE-2025-55143)
530493 Ivanti Connect Secure (ICS) Denial of Service (DoS) Vulnerability (CVE-2025-55146)
530495 Jenkins QMetry Test Management Plugin API Key Exposure Vulnerabilities (CVE-2025-53659,CVE-2025-53660)
530496 WordPress Single Sign-On (SSO) Plugin: Incorrect Authorization Vulnerability (CVE-2025-6003)
530497 Adobe Magento Remote Code Execution Vulnerabilities
530499 WordPress Gutenberg Template Library and Redux Framework Plugin: Sensitive Information Disclosure Vulnerability (CVE-2021-38314)
530500 Oracle Access Manager Remote Code Execution (RCE) Vulnerability (CVE-2021-35587)
530501 SolarWinds Web Help Desk AjaxProxy Deserialization Remote Code Execution Vulnerability (CVE-2025-26399)
530502 Adobe Magento SQL Injection Vulnerabilities
530503 Adobe Magento XPath Injection Vulnerability (CVE-2019-8158)
530504 Adobe Magento Insecure Authentication and Session Management Vulnerabilities (CVE-2019-8108,CVE-2019-8116,CVE-2019-8149)
530505 Fortra GoAnywhere MFT Deserialization Vulnerability (CVE-2025-10035)
530506 Adobe Magento Unrestricted File Upload Vulnerability (CVE-2019-8140)
530507 Adobe Magento Insecure Component Vulnerability (CVE-2019-8136)
530508 Adobe Magento Insecure Component Vulnerability (CVE-2019-8121)
530509 WordPress WPCasa Plugin: Code Injection Vulnerability (CVE-2025-9321)
530510 Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2019-8156)
530511 Adobe Magento Arbitrary File Deletion Vulnerability (CVE-2019-8090)
530512 Adobe Magento Arbitrary File Deletion Vulnerability (CVE-2019-8107)
530515 GitLab CE/EE Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-6454)
530516 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-2256)
530517 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-1250)
530518 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-7337)
530519 Ivanti Endpoint Manager (EPM) Remote Code Execution (RCE) Vulnerabilities (CVE-2025-9712,CVE-2025-9872)
580817 Improper Validation of Time-based Business Logic
580818 Minimum Spend Requirement Bypass
580819 Improper Validation of Subscription Cancellation Dates
580820 Improper Validation of Coupon Reuse
580822 CAPTCHA Bypass via Missing Cookie Validation
580823 TRACK Method Detected
580824 Authentication Bypass via Host Header Injection
580825 AWS Container Metadata Content Exposure
580826 Ansible Configuration Exposure
580827 Apache Configuration File Disclosure
580828 Apache Pulsar Service Exposure
580829 SQL Injection in Referer Header
580830 SQL Injection in User-Agent Header
580831 SQL Injection in X-Forwarded-For Header
580832 SQL Injection in Client-IP Header
580834 Grafana Unauthenticated Snapshot Creation
580835 KubePi LoginLogsSearch Unauthorized Access
580836 Error-Based NoSQL Injection (JSON Parameter Replacement)
580837 Appspec Yml Disclosure
580838 Command Injection in Referer Header
580839 Command Injection in User-Agent Header
580840 Command Injection in X-Forwarded-For Header
580841 Command Injection in Client-IP Header
580842 Command Injection Using Backticks
580843 CGI Script Environment Variable Disclosure
580844 CircleCI Config.yml Exposure
580845 Config Ruby File Disclosure
580846 Django Default Homepage Enabled
580847 Eclipse BIRT Panel Exposure
580848 ElasticSearch Default Login Vulnerability
580849 Nginx Git Configuration Exposure
580850 GitHub Workflow Disclosure
580851 Google API Key Disclosure
580852 GraphQL Debug Mode Enabled
580853 JWT Signing in Client-Side
580854 LightHttpd Config Exposed
580855 Msmtp Configuration File Exposed
580856 Nginx Log File Exposed
580857 Open Redirect in Path

Qualys Notification: Web Application Detections Published in September 2025

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: November, 2025