Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Most vulnerable PHP frameworks report
A data-driven look at CVEs across Laravel, Symfony, CodeIgniter, Yii2 & ThinkPHP reveals which PHP frameworks carry the most real-world exploitation risk.
Drupal module vulnerability trends
Contributed modules drive most Drupal risk today. Here's what the advisory trends show — and how reachability analysis changes triage.
Laravel security vulnerability trends
A data-driven look at recurring Laravel vulnerability patterns — debug-mode RCE, APP_KEY leaks, and Composer supply chain risk — and how to defend against them.
Cargo crate vulnerability trends report
RustSec advisories rose 38% year-over-year as crates.io passed 195,000 packages. A breakdown of where Cargo's supply-chain risk is concentrated in 2026.
Malicious Rust crates found on crates.io
Malicious crates keep surfacing on crates.io, from the rustdecimal typosquat to build-script payload attacks. Here's how the pattern works and how to defend against it.
Unsafe Rust code vulnerability patterns
RustSec advisories tied to unsafe code keep climbing. Here's how unsound FFI, transmute misuse, and unchecked indexing become real exploits.
Rust supply chain security landscape
Rust's crates.io has topped 170,000 packages and real attacks are following. Here's what's changed and how security teams should respond.
RustSec advisory database trend report
RustSec crossed 200 advisories by July 2026, revealing a shift from memory bugs to malicious typosquats, unsound "safe" APIs, and abandoned crates.
Typosquatting on crates.io report
Safeguard's research team scanned all of crates.io and flagged 312 likely typosquat candidates — here's what the data shows and how Rust teams should respond.
CocoaPods trunk supply chain vulnerability report
Three CocoaPods trunk server flaws sat unpatched for a decade, exposing 1,866 orphaned pods to takeover. Here's what happened and how to defend your dependencies.
Swift Package Manager vulnerability trends
Typosquats, thin CVE coverage, and an executable manifest format: inside the Swift Package Manager vulnerability trends security teams can't ignore.
Malicious iOS SDKs and CocoaPods report
CocoaPods trunk server CVEs and the SourMint SDK scandal reveal how malicious iOS SDKs and pods slip past App Review for years.