Web Application Detections Published in June 2025

In June, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks; including, Next.js, DataTables, Billboard.js, OpenPGP.js, phpwcms, Laravel, Squid, Kibana, Liferay Portal, Apache Traffic Server, SAP, Traefik, Roundcube Webmail, Apache Tomcat, WordPress, Zimbra, Apache Superset, Moodle, Gradio, Adobe Magento, Craft CMS, Gladinet CentreStack, Teltonika, Cisco, ConnectWise ScreenConnect, Siemens, GitLab, Mattermost, GeoServer, NetScaler, Dify, FastGPT, FortiMail, JetBrains TeamCity and Adobe.

The following table lists the QIDs released in June 2025.

QID Title
151059 Next.js Race Condition Vulnerability (CVE-2025-32421)
151060 Next.js Information Exposure Vulnerability (CVE-2025-48068)
151061 DataTables Prototype Pollution Vulnerability (CVE-2020-28458)
151062 DataTables Cross-Site Scripting (XSS) Vulnerability (CVE-2021-23445)
151063 Billboard.js Prototype Pollution Vulnerability (CVE-2025-49223)
151064 OpenPGP.js Signature Verification Bypass Vulnerability (CVE-2025-47934)
520051 phpwcms Multiple Deserialization Vulnerabilities (CVE-2025-5497, CVE-2025-5498, CVE-2025-5499)
520052 Laravel File Validation Bypass Vulnerability (CVE-2025-27515)
520053 Squid Denial of Service Vulnerability (CVE-2024-45802)
520054 Kibana Improper Authorization Vulnerability (CVE-2024-43706)
520055 Liferay Portal Denial of Service Vulnerability (CVE-2025-3602)
520056 Apache Traffic Server Denial of Service Vulnerability (CVE-2025-49763)
520057 Apache Traffic Server Improper Access Control Vulnerability (CVE-2025-31698)
520058 Apache Traffic Server Chunked Request Smuggling Vulnerability (CVE-2024-53868)
520059 Liferay Portal Path Traversal Vulnerability (CVE-2025-3594)
520060 Liferay Portal Denial of Service Vulnerability (CVE-2025-3526)
520061 Kibana Open Redirect Vulnerability (CVE-2025-25012)
530072 SAP NetWeaver Visual Composer Development Server Insecure Deserialization Vulnerability (CVE-2025-42999)
530133 Traefik Path Traversal Vulnerability (CVE-2025-47952)
530134 Roundcube Webmail Remote Code Execution (RCE) Vulnerability (CVE-2025-49113)
530135 Apache Tomcat CGI Security Constraint Bypass Vulnerability (CVE-2025-46701)
530136 WordPress Newsletters Plugin: Local File Inclusion Vulnerability (CVE-2025-4857)
530137 WordPress Newsletters Plugin: Local File Inclusion Vulnerability (CVE-2025-4857)
530138 Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2024-45515)
530139 Apache Superset SQL Injection Vulnerability (CVE-2025-48912)
530140 Moodle AJAX Section Deletion Permission Bypass Vulnerability (CVE-2025-3644)
530141 Moodle Remote Code Execution Vulnerability (CVE-2025-3641)
530142 Gradio Arbitrary File Copy via Flagging Feature (CVE-2025-48889)
530143 Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3640)
530144 Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-3635)
530145 WordPress AI Engine Plugin: Arbitrary File Upload Vulnerability (CVE-2023-51409)
530146 WordPress PSW Front-end Login and Registration Plugin: Privilege Escalation Vulnerability (CVE-2025-4607)
530147 WordPress WP-GeoMeta Plugin: Privilege Escalation Vulnerability (CVE-2025-4103)
530148 Grafana Authorization Bypass Vulnerability (CVE-2025-3454)
530149 Moodle Missing Authorization Vulnerability (CVE-2025-32045)
530150 WordPress Offsprout Page Builder Plugin: Privilege Escalation Vulnerability (CVE-2025-4672)
530151 Moodle Unauthenticated REST API User Data Exposure Vulnerability (CVE-2025-32044)
530152 WordPress Simple Page Access Restriction Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-5142)
530153 WordPress File Provider Plugin: SQL Injection Vulnerability (CVE-2025-4578)
530154 WordPress OpenSheetMusicDisplay Plugin: Cross-Site Scripting Vulnerability (CVE-2025-5235)
530155 Adobe Magento Improper Access Control Security Feature Bypass Vulnerability (CVE-2025-27190)
530156 Craft CMS Arbitrary Content Storage Vulnerability (CVE-2025-35939)
530157 Adobe Magento Improper Access Control Bypass Vulnerability (CVE-2025-27191)
530158 Adobe Magento Improper Authorization Vulnerability (CVE-2025-27188)
530159 Adobe Magento Insufficiently Protected Credentials Bypass Vulnerability (CVE-2025-27192)
530160 Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability (CVE-2025-30406)
530161 WordPress Eventin Plugin: Privilege Escalation Vulnerability (CVE-2025-47539)
530162 WordPress LA-Studio Element Kit for Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2025-4943)
530163 Teltonika RUT9XX Unauthenticated OS Command Injection Vulnerability (CVE-2018-17532)
530164 Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188)
530165 WordPress Sunshine Photo Cart Plugin: Privilege Escalation Vulnerability (CVE-2025-5482)
530166 WordPress Store Locator WordPress Plugin: SQL Injection Vulnerability (CVE-2025-49328)
530167 WordPress HyperComments Plugin: Missing Authorization Vulnerability (CVE-2025-5701)
530168 ConnectWise ScreenConnect ViewState Code Injection Vulnerability (CVE-2025-3935)
530172 Siemens SINEC NMS Detected
530173 WordPress Membership For WooCommerce Plugin: Missing Authorization Vulnerability (CVE-2025-49265)
530174 WordPress One-Login Plugin: Privilege Escalation Vulnerability (CVE-2025-23974)
530175 WordPress Stock Locations for WooCommerce Plugin: Missing Authorization Vulnerability (CVE-2025-47463)
530176 GitLab CE/EE Kubernetes Denial of Service Vulnerability (CVE-2025-3111)
530177 GitLab CE/EE Denial of Service Vulnerability (CVE-2025-2853)
530178 Apache Tomcat Authentication Bypass Vulnerability (CVE-2025-49125)
530179 Apache Tomcat Denial-of-Service (DoS) Vulnerability (CVE-2025-48988)
530180 Apache Tomcat Untrusted Search Path Vulnerability (CVE-2025-49124)
530181 Mattermost Guest User API Team Information Disclosure Vulnerability (CVE-2025-4128)
530182 Mattermost LDAP Group ID Attribute Injection Vulnerability (CVE-2025-4573)
530183 GeoServer GeoWebCache Sensitive Information Exposure Vulnerability (CVE-2024-38524)
530184 GeoServer REST API Index Unauthorized Access Vulnerability (CVE-2025-27505)
530185 GeoServer TestWfsPost Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-29198, CVE-2021-40822)
530186 Mattermost Google OAuth Credential Disclosure Vulnerability (CVE-2025-2571)
530187 Mattermost Unvalidated Personal Access Token Deactivation Vulnerability (CVE-2025-3230)
530189 WordPress CubeWP Plugin: Privilege Escalation Vulnerability (CVE-2025-4315)
530190 WordPress WP VR Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47452)
530191 GeoServer XML External Entity (XXE) Processing Vulnerability (CVE-2025-30220)
530192 Mattermost Guest Access Control Vulnerability (CVE-2025-1792)
530193 Mattermost System Manager Access Control Enforcement Vulnerability (CVE-2025-3611)
530194 WordPress Ivory Search Plugin: Cross-Site Scripting Vulnerability (CVE-2025-5209)
530195 WordPress s2Member Pro Plugin: Local File Inclusion Vulnerability (CVE-2024-12563)
530196 WordPress WP Job Portal Plugin: SQL Injection Vulnerability (CVE-2025-48274)
530197 WordPress WP Marketing Automations Plugin: Missing Authorization Vulnerability (CVE-2025-1562)
530198 NetScaler ADC and Gateway Improper Access Control Vulnerability (CVE-2025-5349)
530199 NetScaler ADC and Gateway Insufficient Input Validation Vulnerability (CVE-2025-5777)
530200 Dify Cross-site Scripting Vulnerability (CVE-2025-49149)
530201 WordPress PixelYourSite Plugin: Unauthenticated PHP Object Injection Vulnerability (CVE-2024-0769)
530202 FastGPT Improper Input Validation Vulnerability (CVE-2025-52552)
530203 FastGPT Server-Side Request Forgery Vulnerability (CVE-2025-27600)
530204 Mattermost Arbitrary File Write Vulnerability (CVE-2025-4981)
530205 Mattermost Channel Validation Failure Vulnerability (CVE-2024-39274)
530206 WordPress AI Engine Plugin: Insufficient Authorization Vulnerability (CVE-2025-5071)
530207 WordPress CSV Me Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6086)
530208 FortiMail Stack-based Buffer Overflow Vulnerability (CVE-2025-32756)
530209 FortiMail Authentication Bypass Vulnerability (CVE-2023-47539)
530210 JetBrains TeamCity XSS Vulnerabilities (CVE-2025-52875, CVE-2025-52876, CVE-2025-52877, CVE-2025-52879)
530211 JetBrains TeamCity Usernames Exposure Vulnerability (CVE-2025-52878)
530212 Mattermost Unauthorized Channel Member Management Vulnerability (CVE-2025-3227)
530213 Mattermost Guest User Playbook Run Exposure Vulnerability (CVE-2025-3228)
530214 Roundcube Webmail XSS Vulnerabilities (CVE-2024-42008, CVE-2024-42009)
530215 WordPress Ultra Addons for Contact Form 7 Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6220)
530216 Roundcube Webmail Sensitive Information Exposure Vulnerability (CVE-2024-42010)
530217 WordPress Classified Listing Plugin: Local File Inclusion Vulnerability (CVE-2025-52715)
530218 WordPress WP Roadmap Plugin: SQL Injection Vulnerability (CVE-2025-52822)
530219 WordPress WP User Stylesheet Switcher Plugin: CSRF Vulnerability (CVE-2025-52792)
530220 WordPress Import YouTube videos as WP Posts Plugin: Missing Authorization Vulnerability (CVE-2025-52802)
530221 NetScaler ADC and Gateway Memory Overflow Vulnerability (CVE-2025-6543)
530222 Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2024-34111)
530223 Adobe Magento Improper Authentication Vulnerability (CVE-2024-34103)
530225 Adobe Magento Cross-Site Scripting Vulnerability (CVE-2024-34105)
530226 Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2025-48700)
530227 GitLab CE/EE CSRF GraphQL Mutation Execution Vulnerability (CVE-2025-4994)
530228 GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-2443)
530229 GitLab CE/EE Compliance Framework Authorization Bypass Vulnerability (CVE-2025-5121)
530233 Grafana Information Disclosure Vulnerability (CVE-2025-3415)