Vulnerabilities
In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.
71 articles
Nginx Vulnerabilities: Tracking and Patching at Scale
Nginx vulnerabilities are rare compared to application-layer bugs but high-impact when they land — here's how to track disclosures and patch fleets without breaking uptime.
BOLA: Broken Object Level Authorization, Explained
A bola vulnerability lets one authenticated user reach another user's data just by changing an ID in a request — no exploit code required, which is exactly why scanners miss it so often.
PHP Vulnerability Classes and Common Fixes
The recurring php vulnerability classes — SQL injection, file inclusion, deserialization, and type-juggling bugs — and the specific fixes that close each one.
Stored XSS: Why Persistent Injection Hurts Most
Stored XSS saves the attacker's script server-side and serves it to everyone. Here is why persistent injection is the most damaging XSS variant and how to stop it.
jQuery 3.6.0 Vulnerabilities: What Is Actually Exploitable
Scanners keep flagging jQuery 3.6.0 as vulnerable — but jQuery core in that version has no known direct CVEs. Here is what the alerts really mean and where the exploitable risk actually lives.
The Java Security Manager Is Deprecated: What to Use Instead
JEP 411 deprecated the Java Security Manager for removal, and years of accumulated java security flaws in its trust model are why the platform is retiring it rather than fixing it further.
PHP 7.4.33 Vulnerabilities: The Real Risk of Running EOL PHP
PHP 7.4.33 was the final release in the 7.4 line before it reached end of life — running it today means every new vulnerability discovered afterward goes unpatched by design.
npm Security Vulnerabilities: How to Track Them
A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.
SQL Injection Prevention Cheat Sheet
A practitioner's SQL injection cheatsheet: parameterized queries, safe ORM use, input validation, least privilege, and the exact patterns to ban in review.
XSS Examples: Real Payloads and How They Execute
Concrete XSS examples across HTML, attribute, and JavaScript contexts, with the payloads that trigger them and why each one runs.
WooCommerce Vulnerabilities: A Recurring Pattern Worth Knowing
WooCommerce core is relatively well-maintained, but the plugin and extension ecosystem around it is where most reported WooCommerce vulnerabilities keep showing up.
XXE Examples: Annotated Payloads and Fixes
Concrete xxe examples showing how a malicious external entity reference reads local files or reaches internal services through an XML parser, and the config change that closes it.