Application Security Detections Published in December 2025
Table of Contents
In December, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Liferay, Atlassian, Kibana, SolarWinds, PHP, Adobe, pgAdmin, JetBrains, GitLab, Nginx, WordPress, vLLM, Fortinet, Drupal, React, Apache, ClipBucket, Jenkins, Infoblox, Ollama, Gogs, FreePBX, 1Panel, XWiki, Cisco, Roundcube, GeoServer, N8n, HexStrike
Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.
| QID | Title |
| 520083 | Liferay Portal Cross-site scripting (XSS) Vulnerability (CVE-2025-62265) |
| 520084 | Liferay Portal DNS Rebinding Vulnerability (CVE-2025-62266) |
| 520085 | Liferay Portal Password Enumeration Vulnerability (CVE-2025-62257) |
| 520086 | Liferay Portal Reflected Cross-site scripting (XSS) Vulnerability (CVE-2025-4576) |
| 520087 | Atlassian Jira Data Center and Server Path Traversal Vulnerability (CVE-2025-22167) |
| 520088 | Liferay Portal Observable Discrepancy Vulnerability (CVE-2025-43739) |
| 520089 | Kibana Unbounded Allocation Vulnerability (CVE-2024-43708) |
| 520090 | SolarWinds Serv-U Remote Code Execution (RCE) Vulnerabilities (CVE-2025-40547,CVE-2025-40548) |
| 520091 | SolarWinds Serv-U Path Restriction Bypass Vulnerability (CVE-2025-40549) |
| 520092 | Kibana Improper Authorization Vulnerability (CVE-2025-68422) |
| 520093 | PHP NULL Pointer Dereference Vulnerability (CVE-2025-6491) |
| 520094 | PHP HTTP Redirect Location Buffer Truncation Vulnerability (CVE-2025-1861) |
| 520095 | PHP Improper Input Validation Vulnerability (CVE-2025-1736) |
| 520096 | PHP SQL Injection Vulnerability (CVE-2025-1735) |
| 520097 | PHP Server-Side Request Forgery Vulnerability (CVE-2025-1220) |
| 520098 | PHP HTTP Redirect Header Confusion Vulnerability (CVE-2025-1219) |
| 520099 | PHP Interpretation Conflict Vulnerability (CVE-2025-1217) |
| 530658 | Adobe Magento Unrestricted File Upload Vulnerability (CVE-2024-39397) |
| 530668 | Adobe Magento Cross-Site Request Forgery Vulnerabilities (CVE-2024-39408,CVE-2024-39409,CVE-2024-39410) |
| 530679 | pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2025-12762) |
| 530697 | JetBrains YouTrack Junie Token Exposure Vulnerability (CVE-2025-64689) |
| 530698 | JetBrains YouTrack VCS URL Validation Vulnerability (CVE-2025-64688) |
| 530699 | GitLab CE/EE Improper Access Control Vulnerability (CVE-2025-7736) |
| 530700 | GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-12983) |
| 530702 | JetBrains YouTrack Missing Authorization Vulnerabilities (CVE-2025-64684,CVE-2025-64687,CVE-2025-64690) |
| 530703 | Nginx Server-Status page exposed (stub_status) |
| 530704 | WordPress Easy WP SMTP Plugin: Administrator Account Takeover Vulnerability (CVE-2020-35234) |
| 530705 | vLLM Remote Code Execution (RCE) Vulnerability (CVE-2025-66448) |
| 530706 | WordPress Cost Calculator Builder Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-12529) |
| 530707 | Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034) |
| 530708 | Drupal JSON Field: Cross Site Scripting (XSS) Vulnerability (CVE-2025-10926) |
| 530709 | Drupal Access code: Access Bypass Vulnerability (CVE-2025-10928) |
| 530711 | WordPress ProfileGrid Plugin: PHP Object Injection Vulnerability (CVE-2025-0724) |
| 530712 | React Server Components Remote Code Execution (RCE) Vulnerability (CVE-2025-55182) (React2Shell) |
| 530713 | Apache Druid Kerberos Authenticaton Unsecure Cryptographic Secret Vulnerability (CVE-2025-59390) |
| 530714 | WordPress AI ChatBot Plugin: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-13378) |
| 530717 | ClipBucket V5 Authorization Bypass Vulnerability (CVE-2025-65113) |
| 530718 | Apache Tomcat ANSI Escape Sequence Injection in Log Messages (CVE-2025-55754) |
| 530719 | Jenkins Curseforge Publisher Plugin: API Key Disclosure Vulnerability (CVE-2025-64147) |
| 530720 | vLLM Remote Code Execution (RCE) Vulnerabilities (CVE-2025-32444,CVE-2025-47277) |
| 530721 | vLLM Denial of Service (DoS) Vulnerability (CVE-2025-30202) |
| 530722 | Apache Syncope Default AES Key Utilized For Encryption Vulnerability (CVE-2025-65998) |
| 530723 | Infoblox NetMRI Unauthenticated Command Injection Vulnerability (CVE-2025-32813) |
| 530724 | vLLM Denial of Service (DoS) Vulnerability (CVE-2025-46560) |
| 530725 | WordPress Username Enumeration via Author ID Parameter |
| 530726 | Jenkins MCP Server Plugin Missing Authorization Vulnerability (CVE-2025-64132) |
| 530727 | Apache OFBiz Template Engine Vulnerability (CVE-2025-26865) |
| 530728 | Jenkins SAML Plugin Replay Vulnerability (CVE-2025-64131) |
| 530729 | Jenkins Extensible Choice Parameter Plugin CSRF Vulnerability (CVE-2025-64133) |
| 530730 | Jenkins JDepend Plugin XXE Vulnerability (CVE-2025-64134) |
| 530731 | GitLab CE/EE Race Condition Vulnerability (CVE-2024-9183) |
| 530732 | GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-12571) |
| 530733 | GitLab CE/EE Authentication Bypass Vulnerability (CVE-2025-12653) |
| 530734 | Ollama Cross-Domain Authentication Token Exposure (CVE-2025-51471) |
| 530735 | GitLab CE/EE Denial Of Service Vulnerability (CVE-2025-7449) |
| 530736 | Adobe ColdFusion Multiple Vulnerabilities (APSB25-105) |
| 530737 | Gogs Symlink Bypass Vulnerability (CVE-2025-8110) |
| 530738 | GitLab EE Improper Authorization Vulnerability (CVE-2025-6195) |
| 530739 | GitLab CE/EE Information Disclosure Vulnerability (CVE-2025-13611) |
| 530740 | Apache Struts Showcase App Denial of Service Vulnerability (CVE-2025-64775) |
| 530741 | WordPress Hippoo Mobile App for WooCommerce Plugin: Arbitrary File Read Vulnerability (CVE-2025-13339) |
| 530742 | React Server Components Denial of Service (DoS) Vulnerability (CVE-2025-55184) |
| 530743 | FreePBX Improper Authentication Vulnerability (CVE-2025-66039) |
| 530744 | FreePBX SQL Injection Vulnerability (CVE-2025-61675) |
| 530745 | FreePBX File Upload Vulnerability (CVE-2025-61678) |
| 530746 | 1Panel CAPTCHA Verification Bypass Vulnerability (CVE-2025-66507) |
| 530747 | pgAdmin Code Injection Vulnerability (CVE-2025-13780) |
| 530748 | XWiki Sensitive File Disclosure Vulnerability (CVE-2025-55749) |
| 530749 | WordPress LT Unleashed Plugin: Local File Inclusion Vulnerability (CVE-2025-13886) |
| 530750 | WordPress Elated Membership Plugin: Authentication Bypass Vulnerability (CVE-2025-13613) |
| 530751 | Apache Tika XML External Entity (XXE) Vulnerability (CVE-2025-66516,CVE-2025-54988) (Intrusive Check) |
| 530752 | Git Repository Found |
| 530753 | WordPress Export WP Pages Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-11693) |
| 530754 | WordPress JAY Login and Register Plugin: Authentication Bypass Vulnerability (CVE-2025-14440) |
| 530755 | WordPress URL Shortener Plugin: SQL Injection Vulnerability (CVE-2025-10738) |
| 530756 | WordPress WPCOM Member Plugin: Authentication Bypass Vulnerability (CVE-2025-14002) |
| 530757 | Cisco AsyncOS Secure Email Gateway Remote Command Execution (RCE) Vulnerability (CVE-2025-20393) |
| 530758 | WordPress Fox LMS Plugin: Privilege Escalation Vulnerability (CVE-2025-14156) |
| 530760 | Roundcube Webmail Information Disclosure Vulnerability (CVE-2025-68460) |
| 530761 | Roundcube Webmail Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-68461) |
| 530762 | Apache StreamPark Use of Hard-Coded Key Vulnerability (CVE-2025-54947) |
| 530766 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities |
| 530767 | JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-68268) |
| 530768 | WordPress Booking Calendar Plugin: Blind SQL Injection Vulnerability (CVE-2025-14383) |
| 530769 | WordPress Demo Importer Plus Plugin: Privilege Escalation Vulnerability (CVE-2025-14364) |
| 530770 | WordPress NextGEN Gallery Plugin: Local File Inclusion Vulnerability (CVE-2025-13641) |
| 530771 | JetBrains TeamCity Excessive Privileges Vulnerability (CVE-2025-68267) |
| 530773 | GitLab CE/EE Cross-Site Scripting Vulnerability (CVE-2025-12029) |
| 530774 | GeoServer XML External Entity (XXE) Processing Vulnerability (CVE-2025-58360) |
| 530775 | Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-59718) |
| 530776 | Fortinet FortiWeb Authentication Bypass Vulnerability (CVE-2025-59719) |
| 530777 | N8n Remote Code Execution Vulnerability (CVE-2025-68613) |
| 530778 | WordPress Contact Form 7 Redirect Plugin: Arbitrary File Upload Vulnerability (CVE-2025-14800) |
| 530780 | WordPress Doubly Plugin: PHP Object Injection Vulnerability (CVE-2025-14476) |
| 530784 | GitLab CE/EE Improper Encoding Vulnerability (CVE-2025-8405) |
| 530785 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-12562) |
| 530786 | WordPress WP User Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-13320) |
| 530787 | WordPress Ninja Forms Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-11924) |
| 530788 | WordPress Hummingbird Plugin: Sensitive Information Exposure Vulnerability (CVE-2025-14437) |
| 530789 | GitLab CE/EE Authentication Bypass Vulnerability (CVE-2025-11984) |
| 530790 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-4097) |
| 580896 | Hash Disclosure in Sensitive Fields |
| 580897 | HexStrike AI MCP Server Command Injection Vulnerability (CVE-2025-35028) |
| 580898 | Mass Assignment: Unauthorized Modification of Sensitive Attributes |
What’s Next
Leverage the QID list to guide your remediation efforts and strengthen your risk posture.
Looking for more context or remediation tips? Head to Qualys KnowledgeBase for detailed analysis, actionable guidance, and expert-backed support.