Web Application Detections Published in July 2025

Hitesh Kadu
Hitesh Kadu, Senior Web Application Security Signatures Engineer
- 7 min read

Table of Contents

In July, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:

Next.js, Apache, Mattermost, Adobe Magento, MLflow, SugarCRM, Fortinet, WordPress, MCP, WingFTP, Gogs, Moodle, Ivanti, Adobe ColdFusion, LiteLLM, Zimbra, Oracle WebLogic Server, JetBrains YouTrack, LaRecipe, Grafana, GitLab, Microsoft SharePoint Server, Dify, XWiki, Drupal, JetBrains TeamCity, PaperCut, NetAlertX.

QIDs Released to Detect Vulnerabilities in These Frameworks

Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.

List of QIDs Released

QIDTitle
151065Next.js Denial of Service (DoS) Vulnerability (CVE-2025-49826)
151066Next.js Cache Poisoning Vulnerability (CVE-2025-49005)
520062Apache APISIX OpenID Connect Plugin Authentication Bypass Vulnerability (CVE-2025-46647)
520063Apache HTTP Server HTTP/2 Denial-of-Service Vulnerability (CVE-2025-53020)
520064Apache HTTP Server mod_ssl TLS Upgrade HTTP Desynchronization Vulnerability (CVE-2025-49812)
520065Apache HTTP Server Denial-of-Service Vulnerability (CVE-2025-49630)
520066Apache HTTP Server Improper Access Control Vulnerability (CVE-2025-23048)
520067Apache HTTP Server Log Injection Vulnerability (CVE-2024-47252)
520068Apache HTTP Server Server-Side Request Forgery (SSRF) Vulnerabilities (CVE-2024-43394, CVE-2024-43204)
520069Apache HTTP Server HTTP Response Splitting Vulnerability (CVE-2024-42516)
530213Mattermost Guest User Playbook Run Exposure Vulnerability (CVE-2025-3228)
530224Adobe Magento Improper Authorization Vulnerability (CVE-2024-34104)
530230Adobe Magento Improper Access Control Vulnerability (CVE-2024-34107)
530231Adobe Magento Multiple Improper Input Validation Vulnerabilities (CVE-2024-34108,  CVE-2024-34109)
530232Adobe Magento Unrestricted File Upload Vulnerability (CVE-2024-34110)
530234MLflow Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-52967)
530235SugarCRM PHP Object Injection Vulnerability (CVE-2025-25034)
530236Fortinet FortiOS Hard-Coded Credentials Vulnerability (CVE-2019-6693)
530237WordPress Simple User Registration Plugin: Privilege Escalation Vulnerability (CVE-2025-4334)
530238MCP Inspector Remote Code Execution (RCE) Vulnerability (CVE-2025-49596)
530239WingFTP Remote Code Execution Vulnerability (CVE-2025-47812)
530240WordPress Owl Carousel Responsive Plugin: SQL Injection Vulnerability (CVE-2025-5590)
530241WordPress PT Project Notebooks Plugin: Privilege Escalation Vulnerability (CVE-2025-5304)
530242WordPress Simple Payment Plugin: Authentication Bypass Vulnerability (CVE-2025-6688)
530243Gogs Remote Code Execution (RCE) Vulnerability (CVE-2024-56731)
530244Moodle Jmol Plugin Path Traversal Vulnerability (CVE-2025-34031)
530245Moodle Jmol Plugin Cross-Site Scripting (XSS) Vulnerability (CVE-2025-34032)
530246Gogs Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-47943)
530247WordPress WP Human Resource Management Plugin: Privilege Escalation Vulnerability (CVE-2025-5953)
530248Mattermost Incorrect Authorization Vulnerability (CVE-2025-46702)
530249Mattermost Incorrect Authorization Vulnerability (CVE-2025-47871)
530250Adobe Magento Incorrect Authorization Vulnerability (CVE-2024-34106)
530251Apache Airflow Providers Snowflake Special Element Injection Vulnerability (CVE-2025-50213)
530252Nimesa Backup and Recovery OS Command Injection Vulnerability (CVE-2025-48501)
530253Nimesa Backup and Recovery Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-53473)
530254Apache Seata Insecure Deserialization Vulnerability (CVE-2025-32897)
530255WordPress AI Engine Plugin: Open Redirect Vulnerability (CVE-2025-6238)
530256WordPress Booking X Plugin: Missing Authorization Vulnerability (CVE-2025-6814)
530257WordPress GoZen Forms Plugin: SQL Injection Vulnerability (CVE-2025-6783)
530259Ivanti Endpoint Manager (EPM) Improper Encryption Vulnerabilities (CVE-2025-6995, CVE-2025-6996)
530260Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2025-7037)
530261Ivanti Connect Secure (ICS) Improper Access Control Vulnerability (CVE-2025-5450)
530262Ivanti Connect Secure (ICS) Insertion of Sensitive Information into Log File Vulnerabilities (CVE-2025-5463, CVE-2025-5464)
530263Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-5451)
530264Ivanti Connect Secure (ICS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-0292)
530265Ivanti Connect Secure (ICS) CLRF Injection Vulnerability (CVE-2025-0293)
530266Adobe ColdFusion XML External Entity (XXE) Vulnerabilities (CVE-2025-49535, CVE-2025-49539, CVE-2025-49544)
530267Adobe ColdFusion Hard-coded Credentials Vulnerability (CVE-2025-49551)
530268Adobe ColdFusion Incorrect Authorization Vulnerability (CVE-2025-49536)
530269WordPress Profitori Plugin: Privilege Escalation Vulnerability (CVE-2025-4631)
530270LiteLLM SQL Injection Vulnerability (CVE-2025-45809)
530271WordPress Smash Balloon Social Photo Feed Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-4583)
530272Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-49518)
530273Moodle Insufficient Authorization Vulnerability (CVE-2025-49517)
530274Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-49516)
530275Zimbra Denial of Service (DoS) Vulnerability (CVE-2025-53645)
530276Adobe ColdFusion OS Command and XML Injection Vulnerabilities (CVE-2025-49537, CVE-2025-49538)
530277Adobe ColdFusion Cross-Site Scripting (XSS) Vulnerabilities (APSB25-69)
530278WordPress WPBookit Plugin: Arbitrary File Upload Vulnerabilities (CVE-2025-6057, CVE-2025-6058)
530279Adobe ColdFusion Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-49545)
530280Adobe ColdFusion Denial of Service (DoS)Vulnerability (CVE-2025-49546)
530281WordPress Friends Plugin: PHP Object Injection Vulnerability (CVE-2025-7504)
530282Moodle Insufficient Authorization Vulnerability (CVE-2025-49515)
530283Moodle Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-49514)
530284WordPress SureForms Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-6691)
530285Apache Tomcat Denial of Service (DoS) Vulnerabilities (CVE-2025-52520, CVE-2025-53506)
530287WordPress SureForms Plugin: PHP Object Injection Vulnerability (CVE-2025-6742)
530288Ivanti Endpoint Manager Mobile (EPMM) OS Command Injection Vulnerabilities (CVE-2025-6770,CVE-2025-6771)
530289WordPress Broken Link Notifier Plugin: Server-Side Request Forgery Vulnerability (CVE-2025-6851)
530291WordPress HT Contact Form Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7341)
530292WordPress HT Contact Form Plugin: Arbitrary File Upload Vulnerability (CVE-2025-7340)
530293WordPress HT Contact Form Plugin: Arbitrary File Moving Vulnerability (CVE-2025-7360)
530294Moodle Password Caching Vulnerability (CVE-2025-49513)
530295Moodle MathJax Cross-Site Scripting (XSS) Vulnerability (CVE-2025-49512)
530296Oracle WebLogic Server Multiple Vulnerabilities (CPU-JUL2025)
530297JetBrains YouTrack Email Spoofing Vulnerability (CVE-2025-53959)
530298LaRecipe Server-Side Template Injection Vulnerability (CVE-2025-53833)
530299WordPress Restrict File Access Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-7667)
530300WordPress Counter Live Visitors For WooCommerce Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7359)
530301Fortinet FortiOS Heap-based Buffer Overflow Vulnerability (CVE-2025-24477)
530303WordPress WP Event Manager Plugin: Cross-Site Scripting Vulnerability (CVE-2025-2800)
530304WordPress Aapanel WP Toolkit Plugin: Privilege Escalation Vulnerability (CVE-2025-6813)
530305WordPress Attachment Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7643)
530306Grafana Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-6023)
530307Grafana Open Redirect Vulnerability (CVE-2025-6197)
530308Fortinet FortiWeb SQL Injection Vulnerability (CVE-2025-25257)
530309GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-6948)
530310GitLab EE Incorrect Authorization Vulnerability (CVE-2025-6168)
530311GitLab EE Incorrect Authorization Vulnerability (CVE-2025-4972)
530312GitLab EE Incorrect Authorization Vulnerability (CVE-2025-3396)
530313GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-4979)
530314GitLab CE/EE User Interface Misrepresentation Vulnerability (CVE-2024-9163)
530315WordPress Integration For Contact Form 7 And Pipedrive Plugin: PHP Object Injection Vulnerability (CVE-2025-7696)
530316WordPress Extensions For CF7 Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-7645)
530317Microsoft SharePoint Server Multiple Vulnerabilities (CVE-2025-53770, CVE-2025-53771)
530318GitLab CE/EE GraphQL Information Disclosure Vulnerability (CVE-2025-1110)
530319GitLab CE/EE SAML XPath Validation Bypass Vulnerability (CVE-2024-12093)
530320GitLab CE/EE Email Address Disclosure Vulnerability (CVE-2025-0679)
530321GitLab CE/EE Denial of Service Vulnerability (CVE-2025-0993)
530322GitLab CE/EE Two-Factor Authentication Bypass Vulnerability (CVE-2025-0605)
530323GitLab CE/EE Discord Webhook Denial of Service Vulnerability (CVE-2024-7803)
530324WordPress bSecure Plugin: Privilege Escalation Vulnerability (CVE-2025-6187)
530325WordPress Nginx Cache Purge Preload Plugin: Remote Code Execution Vulnerability (CVE-2025-6213)
530326WordPress Social Streams Plugin: Privilege Escalation Vulnerability (CVE-2025-7722)
530329WordPress Integration For Contact Form 7 and Google Sheets Plugin: PHP Object Injection Vulnerability (CVE-2025-7697)
530330Dify Code Execution Vulnerability (CVE-2025-3466)
530331Apache Jena Path Traversal Vulnerability (CVE-2025-49656)
530332XWiki SQL Injection Vulnerability (CVE-2025-32429)
530333WordPress Melapress Login Security Plugin: Authentication Bypass Vulnerability (CVE-2025-6895)
530334WordPress Dataverse Integration Plugin: Privilege Escalation Vulnerability (CVE-2025-7695)
530335Drupal Stage File Proxy Unauthenticated Flooding Vulnerability (CVE-2025-3734)
530336Drupal Simple GTM Cross-Site Scripting Vulnerability (CVE-2025-3736)
530337Drupal Google Optimize Authentication Bypass Vulnerability (CVE-2025-3738)
530338JetBrains TeamCity CSRF Vulnerabilities (CVE-2025-54528,CVE-2025-54529,CVE-2025-54536)
530339JetBrains TeamCity Privilege Escalation Vulnerability (CVE-2025-54530)
530340JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-54531)
530341PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-2533)
530342NetAlertX Password Bypass Vulnerability (CVE-2025-48952)
530343Drupal Panelizer Cross-Site Request Forgery Vulnerability (CVE-2025-3735)
530344Drupal Google Optimize Hide Page Information Disclosure Vulnerability (CVE-2025-3739)
530345Drupal Google Maps Store Locator Cross-Site Scripting Vulnerability (CVE-2025-3737)
530346NetAlertX Authentication Bypass Vulnerability (CVE-2025-32440)
530348JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2025-54532, CVE-2025-54533)
530349JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-54534)
530350JetBrains TeamCity Weak Hashing Algorithm Vulnerability (CVE-2025-54535)
530351Drupal baguetteBox.Js Cross-Site Scripting Vulnerability (CVE-2025-3733)
530352NetAlertX Command Injection Vulnerability (CVE-2024-46506)
530353JetBrains TeamCity Sensitive Credential Exposure Vulnerabilities (CVE-2025-54537,CVE-2025-54538)

What’s Next

Leverage the QID list to guide your remediation efforts and strengthen your risk posture.

Looking for more context or remediation tips? Head to Qualys KnowledgeBase for detailed analysis, actionable guidance, and expert-backed support.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *