Safeguard
Topic

Vulnerabilities

In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.

71 articles

Vulnerabilities

Preventing SQL Injection: A Defense-in-Depth Approach

Parameterized queries stop most SQL injection, but the attacks that make it to production usually slip past a single control — here's the layered defense that catches the rest.

Mar 18, 20256 min read
Vulnerabilities

XXE Attack Walkthroughs: What a Good Demo Actually Shows

Most XXE video walkthroughs stop at proof-of-concept file reads — here's what a genuinely useful one covers, plus the Java fix that actually closes the hole.

Mar 18, 20255 min read
Vulnerabilities

Data Vulnerability Classes in Modern Applications

Most breaches trace back to a handful of recurring data vulnerability patterns — from unencrypted storage to broken access checks. Here's how to categorize and prioritize them.

Mar 14, 20256 min read
Vulnerabilities

jQuery 3.7.1 Vulnerabilities: What Actually Changed From Earlier Releases

jQuery 3.7.1 vulnerabilities are mostly inherited history, not new CVEs — the real security story is what changed across 3.4, 3.5, and 3.7.

Mar 11, 20255 min read
Vulnerabilities

SQL Injection Detection: How Scanners Actually Find It

SQL injection detected in a scan report can mean very different things depending on whether it came from a static trace or a live dynamic test — here's how each actually works.

Feb 19, 20256 min read
Vulnerabilities

Node.js Vulnerabilities: Tracking and Patching at Scale

How to actually keep up with Node.js vulnerabilities across dozens of services — where advisories come from, what to automate, and what still needs a human.

Feb 19, 20255 min read
Vulnerabilities

Fixing XXE in Java: A Parser-by-Parser Hardening Guide

A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.

Feb 18, 20256 min read
Vulnerabilities

NoSQL Injection: A Practical Tutorial

NoSQL databases don't use SQL syntax, but they're not immune to injection attacks — this NoSQL injection tutorial covers how the attack actually works against MongoDB-style queries.

Feb 11, 20255 min read
Vulnerabilities

Java Vulnerability Classes: A Reference List

A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.

Feb 11, 20255 min read
Vulnerabilities

Lodash 4.17.21: The Security History Behind the Version Bump

Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.

Feb 11, 20255 min read
Vulnerabilities

CVE-2011-4969: The jQuery XSS Bug, a Decade Later

CVE-2011-4969 is a cross-site scripting flaw in jQuery versions before 1.6.3, triggered by unsanitized attribute-selector input — it's a small, old bug, but the reasons it lingered in codebases for years are still relevant.

Nov 19, 20245 min read
Vulnerabilities

SSRF Attacks: How Server-Side Request Forgery Works

SSRF tricks a server into making requests an attacker controls — reaching internal services, cloud metadata endpoints, and data no external user should touch. Here is how it works and how to stop it.

Sep 17, 20246 min read
Vulnerabilities (Page 3) — Supply Chain Security Blog | Safeguard