Application Security Detections Published in May 2026

Hitesh Kadu
Hitesh Kadu, Senior Web Application Security Signatures Engineer
- 9 min read

Table of Contents

In May, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:

Apache, Drupal, GitHub, Grafana, Ivanti, Joomla, Langflow, Liferay, LiteLLM, Microsoft, NGINX, Next.js, N8n, Open WebUI, Palo Alto Networks, pgAdmin, PHP, SAP, Traefik, WordPress, Zabbix, and cPanel

Details about the following QIDs can be found in our knowledge base. Please review the reports for the scanned applications for these detections and, if any are identified, follow the steps in the knowledge base to ensure the applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If left unaddressed, these vulnerabilities can pose security risks, including breaches, unauthorized access, and various malicious activities.

QIDs

QIDTitle
531399Open WebUI Path Traversal Vulnerability (CVE-2026-44566)
531400Open WebUI Authentication Bypass Vulnerability (CVE-2026-44551)
151089Angular Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-41423)
520152Liferay Portal Cross-Site Scripting Vulnerability (CVE-2025-62255)
520153Liferay Portal Missing Authorization Vulnerability (CVE-2025-62256)
520154Liferay Portal Missing Authorization Vulnerability (CVE-2025-62247)
520155Liferay Portal Cross-Site Scripting Vulnerabilities (CVE-2025-62248, CVE-2025-62249)
520156Liferay Portal Improper Authentication Vulnerability (CVE-2025-62250)
520157Liferay Portal Improper Access Control Vulnerability (CVE-2025-62251)
520158Liferay Portal Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-62252)
520159Liferay Portal Cross-Site Scripting Vulnerabilities (CVE-2025-62246)
520160Liferay Portal Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-62242)
520161Liferay Portal Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-62243)
520162Liferay Portal Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-62244)
520163Liferay Portal Cross-Site Request Forgery Vulnerability (CVE-2025-62245)
520164Liferay Portal Cross-Site Scripting (XSS) Vulnerabilities (CVE-2025-62239, CVE-2025-62238)
520165Liferay Portal Cross-Site Scripting (XSS) Vulnerability (CVE-2025-62237)
520166Liferay Portal Cross-Site Scripting Vulnerabilities (CVE-2025-62240)
520167Liferay Portal Cross-Site Scripting Vulnerability (CVE-2025-43830)
520168Liferay Portal Cross-Site Scripting Vulnerability (CVE-2025-43829)
520169Liferay Portal Cross-Site Scripting Vulnerabilities (CVE-2025-43821, CVE-2025-43823)
520170Liferay Portal Cross-Site Scripting Vulnerabilities (CVE-2025-43822)
520171Liferay Portal Cross-Site Scripting Vulnerability (CVE-2025-43826)
520172Liferay Portal HTTP Response Injection Vulnerability (CVE-2025-43824)
520173Liferay Portal Sensitive Data Exposure Vulnerability (CVE-2025-43825)
520183cPanel and WHM CRLF Injection Vulnerability (CVE-2026-32993)
520184cPanel and WHM Arbitrary File Read Vulnerability (CVE-2026-29201)
520185cPanel and WHM Incorrect Privileges Management Vulnerability (CVE-2026-29205)
531303EOL/Obsolete Software: Apache Tomcat 8.5.X Detected
531304EOL/Obsolete Software: Apache Tomcat 10.0.X Detected
531318N8n SQL Injection Vulnerability (CVE-2026-42237)
531319N8n Cross-Site Scripting Vulnerability (CVE-2026-42235)
531320N8n Denial of Service Vulnerability (CVE-2026-42236)
531330N8n Sandbox Escape Vulnerability (CVE-2026-42234)
531331N8n SQL Injection Vulnerabilities (CVE-2026-42233, CVE-2026-42229)
531332N8n Prototype Pollution Vulnerabilities (CVE-2026-42232, CVE-2026-42231)
531333N8n Authorization Bypass Vulnerability (CVE-2026-42226)
531336EOL/Obsolete Software: Zabbix 4.X Detected
531337EOL/Obsolete Software: Zabbix 5.X Detected
531338EOL/Obsolete Software: Zabbix 6.2.X Detected
531339EOL/Obsolete Software: Zabbix 6.4.X Detected
531340EOL/Obsolete Software: Zabbix 7.2.X Detected
531341N8n MCP Server Server-Side Request Forgery Vulnerability (CVE-2026-42449)
531342GitHub Enterprise Server HTML Injection Vulnerability (CVE-2026-8106)
531362GitHub Enterprise Server Server-Side Request Forgery Vulnerability (CVE-2026-8034)
531363GitHub Enterprise Server Denial of Service Vulnerability (CVE-2026-7541)
531364GitHub Enterprise Server Authentication Bypass Vulnerability (CVE-2026-6736)
531365GitHub Enterprise Server Server-Side Request Forgery Vulnerability (CVE-2026-5921)
531366GitHub Enterprise Server Improper Authorization Vulnerabilities (CVE-2026-5845, CVE-2026-5512)
531367GitHub Enterprise Server OS Command Injection Vulnerability (CVE-2026-4821)
531368GitHub Enterprise Server OAuth Redirect URI Bypass Vulnerability (CVE-2026-4296)
531369GitHub Enterprise Server Authorization Bypass Vulnerability (CVE-2026-3307)
531380SAP S/4HANA (SAP Enterprise Search for ABAP) SQL Injection Vulnerability (CVE-2026-34260)
531381SAP Commerce Cloud Missing Authentication Vulnerability (CVE-2026-34263)
520144Apache HTTP Server HTTP/2 Double Free and Remote Code Execution Vulnerability (CVE-2026-23918)
520145Apache HTTP Server mod_rewrite Privilege Escalation Vulnerability (CVE-2026-24072)
520146Apache HTTP Server mod_proxy_ajp Memory Corruption Vulnerabilities (CVE-2026-28780, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059)
520147Apache HTTP Server mod_md Unrestricted OCSP Response Vulnerability (CVE-2026-29168)
520148Apache HTTP Server mod_dav_lock Denial-of-Service (DoS) Vulnerability (CVE-2026-29169)
520149Apache HTTP Server mod_auth_digest Authentication Bypass Vulnerability (CVE-2026-33006)
520150Apache HTTP Server mod_authn_socache NULL Pointer Dereference Vulnerability (CVE-2026-33007)
520151Apache HTTP Server HTTP Response Splitting Vulnerability (CVE-2026-33523)
520175NGINX ngx_http_proxy_module HTTP/2 Request Injection Vulnerability (CVE-2026-42926)
520176NGINX ngx_http_rewrite_module Buffer Overflow Vulnerability (CVE-2026-42945)
520177NGINX ngx_http_scgi_module and ngx_http_uwsgi_module Memory Over-read Vulnerability (CVE-2026-42946)
520178NGINX ngx_http_charset_module Buffer Over-read Vulnerability (CVE-2026-42934)
520179NGINX HTTP/3 Address Spoofing Vulnerability (CVE-2026-40460)
520180NGINX Use After Free in OCSP Vulnerability (CVE-2026-40701)
531309Ivanti Endpoint Manager Mobile (EPMM) Improper Access Control Vulnerability (CVE-2026-5786)
531310Ivanti Endpoint Manager Mobile (EPMM) Improper Certificate Validation Vulnerability (CVE-2026-5787)
531311Ivanti Endpoint Manager Mobile (EPMM) Unauthenticated Method Invocation Vulnerability (CVE-2026-5788)
531312Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution (RCE) Vulnerability (CVE-2026-6973)
531313Ivanti Endpoint Manager Mobile (EPMM) Improper Certificate Validation Vulnerability (CVE-2026-7821)
531315LiteLLM Server-Side Template Injection (SSTI) Vulnerability (CVE-2026-42203)
531316LiteLLM SQL Injection Vulnerability (CVE-2026-42208)
531317LiteLLM Arbitrary Command Execution Vulnerability (CVE-2026-42271)
531321Microsoft SharePoint Deserialization Remote Code Execution (RCE) Vulnerabilities
531322Microsoft SharePoint Remote Code Execution (RCE) Vulnerability (CVE-2026-40365)
531323Apache Tomcat Uncontrolled Resource Allocation Vulnerability (CVE-2026-41284)
531324Apache Tomcat Improper Input Validation Vulnerability (CVE-2026-41293)
531325Apache Tomcat HTTP Authentication Header Exposure Vulnerability (CVE-2026-42498)
531326Apache Tomcat Authentication Bypass Vulnerability (CVE-2026-43512)
531327Apache Tomcat LockOutRealm Improper Handling Vulnerability (CVE-2026-43513)
531328Apache Tomcat AJP Secret Timing Discrepancy Vulnerability (CVE-2026-43514)
531329Apache Tomcat Improper Authorization Vulnerability (CVE-2026-43515)
531343pgAdmin Authorization Bypass Vulnerability (CVE-2026-7813)
531344pgAdmin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2026-7814)
531345pgAdmin SQL Injection (SQLi) Vulnerability (CVE-2026-7815)
531346pgAdmin OS Command Injection Vulnerability (CVE-2026-7816)
531347pgAdmin Local File Inclusion and Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-7817)
531348pgAdmin Deserialization Remote Code Execution (RCE) Vulnerability (CVE-2026-7818)
531349pgAdmin Path Traversal Vulnerability (CVE-2026-7819)
531350pgAdmin Authentication Rate Limiting Vulnerability (CVE-2026-7820)
531376Ivanti Virtual Traffic Manager (vTM) OS Command Injection Vulnerability (CVE-2026-8051)
531377Ivanti Endpoint Manager (EPM) Sensitive Credentials Exposure Vulnerability (CVE-2026-8109)
531378Ivanti Endpoint Manager (EPM) Privilege Escalation Vulnerability (CVE-2026-8110)
531379Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2026-8111)
151090Next.js Cache Poisoning Vulnerability (CVE-2026-44582)
151091Next.js Cache Poisoning Vulnerability (CVE-2026-44576)
151092Next.js Denial of Service Vulnerability (CVE-2026-44577)
151093Next.js Cross-Site Scripting (XSS) Vulnerability (CVE-2026-44580)
151094Next.js Cross-Site Scripting (XSS) Vulnerability (CVE-2026-44581)
151095Next.js Middleware/Proxy Bypass Vulnerability (CVE-2026-44573)
151096Next.js Server Side Request Forgery Vulnerability (CVE-2026-44578)
151098Next.js Denial of Service Vulnerability (CVE-2026-44579)
151099Next.js Middleware/Proxy Bypass Vulnerability (CVE-2026-44575)
520174PHP Use-After-Free Vulnerability (CVE-2026-6722)
531151Grafana Snapshot Authentication Bypass Vulnerability (CVE-2021-39226)
531275Apache Airflow Authenticated Access Leakage Vulnerability (CVE-2026-38743)
531276Apache Airflow Log Exposure Vulnerability (CVE-2026-31987)
531277Apache Airflow SQL Error Exposure Vulnerability (CVE-2026-30912)
531278Apache Airflow Unsanitized User Input Privilege Escalation Vulnerability (CVE-2026-30898)
531279Apache Airflow XCom Payload Execution Vulnerability (CVE-2026-25917)
531280Apache Airflow Secret Exposure Vulnerability (CVE-2026-32690)
531281Apache Airflow UI / API Permission Bypass Vulnerability (CVE-2026-32228)
531282Apache Airflow XCom Payload Execution Vulnerability (CVE-2026-33858)
531283Apache Airflow Code Injection Vulnerability (CVE-2025-54550)
531305Traefik Multiple Authentication Bypass Vulnerabilities (CVE-2026-40912, CVE-2026-35051, CVE-2026-39858)
531314Palo Alto Networks (PAN-OS) Unauthenticated Buffer Overflow Vulnerability (CVE-2026-0300)
531334Express Version Disclosed
531335Authentication Bypass via SQL Injection
531361Langflow Cross-Site Scripting (XSS) Vulnerability (CVE-2026-3346)
531269WordPress ExactMetrics Plugin: Arbitrary Plugin Installation/Activation Vulnerability (CVE-2026-5464)
531270WordPress WP Statistics Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-5231)
531271WordPress Unlimited Elements For Elementor Plugin: Arbitrary File Read Vulnerability (CVE-2026-4659)
531272WordPress Easy Appointments Plugin: Sensitive Information Exposure Vulnerability (CVE-2026-2262)
531273WordPress LatePoint Plugin: Privilege Escalation Vulnerability (CVE-2026-6741)
531274WordPress HTTP Headers Plugin: External Control of File Name or Path Vulnerability (CVE-2026-4132)
531284WordPress Highland Software Custom Role Manager Plugin: Privilege Escalation Vulnerability (CVE-2026-7106)
531285WordPress WP Customer Area Plugin: Arbitrary File Read/Deletion Vulnerability (CVE-2026-3464)
531286WordPress Sendmachine Plugin: Authorization Bypass Vulnerability (CVE-2026-6235)
531287WordPress Drag and Drop File Upload Plugin: Arbitrary File Upload Vulnerability (CVE-2026-5364)
531288WordPress WP Editor Plugin: Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2026-3772)
531289WordPress User Verification Plugin: Authentication Bypass Vulnerability (CVE-2026-7458)
531291WordPress Import and Export Users and Customers Plugin: Privilege Escalation Vulnerability (CVE-2026-7641)
531292WordPress Widget Options Plugin: Remote Code Execution (RCE) Vulnerability (CVE-2026-2052)
531293WordPress Salon Booking System Plugin: Arbitrary File Read Vulnerability (CVE-2026-6320)
531294WordPress Brizy Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-5324)
531295WordPress Otter Blocks Plugin: Purchase Verification Bypass Vulnerability (CVE-2026-2892)
531297WordPress NEX-Forms Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-5063)
531298WordPress Geo Mashup Plugin: SQL Injection Vulnerabilities (CVE-2026-4060, CVE-2026-4061, CVE-2026-4062)
531299WordPress Gravity Forms Plugin: Cross-Site Scripting (XSS) Vulnerabilities (CVE-2026-5109, CVE-2026-5110, CVE-2026-5111, CVE-2026-5112, CVE-2026-5113)
531300WordPress ARMember Plugin: SQL Injection Vulnerability (CVE-2026-7649)
531301WordPress Temporary Login Plugin: Authentication Bypass Vulnerability (CVE-2026-7567)
531302Joomla! Core Multiple Vulnerabilities (CVE-2026-21630, CVE-2026-21631, CVE-2026-21632, CVE-2026-23899)
531306WordPress WP Mail Gateway Plugin: Missing Authorization Vulnerability (CVE-2026-6963)
531307WordPress Paid Memberships Pro Plugin: Missing Authorization Vulnerability (CVE-2026-4100)
531308WordPress PixelYourSite Pro Plugin: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-7049)
531351WordPress AI Engine Plugin: Privilege Escalation Vulnerability (CVE-2026-8719)
531352WordPress Burst Statistics Plugin: Authentication Bypass Vulnerability (CVE-2026-8181)
531353WordPress WP-Optimize Plugin: Arbitrary File Deletion Vulnerability (CVE-2026-7252)
531354WordPress Fluent Forms Plugin: Authorization Bypass Vulnerability (CVE-2026-5396)
531355WordPress Fluent Forms Plugin: Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2026-5395)
531356WordPress OttoKit Plugin: SQL Injection Vulnerability (CVE-2026-4935)
531357WordPress MonsterInsights Plugin: Missing Authorization Vulnerability (CVE-2026-5371)
531370WordPress WP DB Backup Plugin: Missing Authorization Vulnerabilities (CVE-2026-4029, CVE-2026-4030, CVE-2026-4031)
531371WordPress GeekyBot Plugin: Missing Authorization Vulnerability (CVE-2026-5294)
531372WordPress GeekyBot Plugin: SQL Injection Vulnerability (CVE-2026-3456)
531373WordPress FOX – Currency Switcher Plugin: Missing Authorization Vulnerability (CVE-2026-4094)
531374WordPress User Frontend Plugin: PHP Object Injection Vulnerability (CVE-2026-5127)
531375WordPress Royal Elementor Addons Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-4803)
531382WordPress ManageWP Worker Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-3718)
531383WordPress Forminator Forms Plugin: Path Traversal Vulnerability (CVE-2026-5192)
531384WordPress Form Maker Plugin: SQL Injection Vulnerability (CVE-2026-3359)
531385WordPress Custom Twitter Feeds Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2026-6177)
531386WordPress ProfileGrid Plugin: Missing Authorization Vulnerability (CVE-2026-4609)
531387WordPress Frontend Admin Plugin: Privilege Escalation Vulnerability (CVE-2026-6228)
531388WordPress RTMKit Addons for Elementor Plugin: Local File Inclusion (LFI) Vulnerability (CVE-2026-3425)
531389Drupal Core Multiple Security Vulnerabilities (CVE-2026-6365, CVE-2026-6366)
531390Drupal Core SQL Injection Vulnerability (CVE-2026-9082)
531391Drupal Core Cross-Site Scripting (XSS) Vulnerability (CVE-2026-6367)
531263WordPress Breeze Cache Plugin: Arbitrary File Upload Vulnerability (CVE-2026-3844)
531264WordPress Create DB Tables Plugin: Authorization Bypass Vulnerability (CVE-2026-4119)
531265WordPress Drag and Drop Plugin: Multiple Vulnerabilities (CVE-2026-5718, CVE-2026-5710)
531266WordPress CMP Coming Soon Maintenance Plugin: Arbitrary File Upload Vulnerability (CVE-2026-6518)
531267WordPress Everest Forms Plugin: Arbitrary File Read and Deletion Vulnerability (CVE-2026-5478)
531268WordPress WpForo Forum Plugin: Arbitrary File Deletion Vulnerability (CVE-2026-6248)

What’s Next

Leverage the QID list to guide your remediation efforts and strengthen your risk posture.

Looking for more context or remediation tips? Head to Qualys KnowledgeBase for detailed analysis, actionable guidance, and expert-backed support.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *