Vulnerabilities
In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.
71 articles
jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed
jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.
XSS Attack Explained: How Cross-Site Scripting Works
An XSS attack lets an attacker run their JavaScript in your users' browsers. Here is how cross-site scripting works, the three types, and how to stop it.
XXE Attacks Explained: XML External Entity Injection
How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.
Apache Struts 2 Vulnerabilities: A History Worth Knowing
Apache Struts 2 has produced some of the most damaging vulnerabilities in web application history, including the flaw behind the Equifax breach. Here's what happened and why it keeps happening.
CVE-2023-4807: The OpenSSL POLY1305 Flaw on Windows
A cryptographic MAC that silently trashes CPU registers: why CVE-2023-4807 only bites Windows builds of OpenSSL, what it can actually do, and which releases fix it.
jQuery 1.10.2 Vulnerabilities: Should You Still Worry?
jQuery 1.10.2, released in 2013, predates the fixes for three well-documented CVEs — CVE-2015-9251, CVE-2019-11358, and CVE-2020-11022/11023 — which means yes, it's genuinely still worth worrying about.
Nginx 1.20.1 Vulnerabilities: What to Patch
Nginx 1.20.1 fixed a real, exploitable DNS resolver bug — if you're still running an older 1.20.x or 1.19.x build, here's what the fix addressed and why it matters.
Notable CVEs of 2022: A Practitioner's Roundup
CVE-2022-31160 and a run of recursion-based denial-of-service bugs made 2022 a year defined less by exotic exploits and more by parsers that never expected deeply nested input.
The Spring Shell Vulnerability: What Happened
Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.
Notable CVEs of 2023: A Practitioner's Roundup
From an OpenSSL IV-truncation flaw to a critical Babel code-execution bug, 2023's CVE crop is a good reminder that severity and blast radius don't always line up.
libwebp and CVE-2023-4863: The Full Story
A heap buffer overflow in libwebp's lossless decoder, exploited in the wild before a patch existed, turned out to affect far more software than the browser it was first reported in.