Vulnerability Management
In-depth guides and analysis on vulnerability management from the Safeguard engineering team.
133 articles
CVE-2021-45105: the Log4j denial-of-service flaw recursion built
CVE-2021-45105 scored CVSS 5.9 and let a single crafted lookup string crash a JVM with a StackOverflowError — no RCE required, just uncontrolled recursion.
When CVSS Scoring Misleads Severity Context
Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.
CVE-2022-31692: how a forward dispatch bypassed Spring Security authorization
A CVSS 9.8 flaw let a single internal forward skip Spring Security's URL-based access checks entirely — here's the root cause and the exact config fix.
Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE
CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.
Inside the OpenSSL punycode bug: why CVE-2022-3602 wasn't Heartbleed
OpenSSL pre-announced a 'critical' flaw in October 2022. It shipped as HIGH severity. Here's the buffer overflow, the downgrade, and the safe patch path.
Root cause: CVE-2022-40764, the Snyk CLI command injection
A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.
CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration
A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.
Reachability analysis for vulnerability triage
Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.
Vulnerability fatigue and the case for risk-based prioritization
48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.
CVE-2025-29927: inside the Next.js middleware auth bypass
A single spoofed header let attackers skip Next.js middleware entirely — CVSS 9.1, four major versions affected, exploited in the wild within days.
SBOM-based blast radius analysis for vulnerable dependencies
An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.
A prioritization framework for triaging security alerts at scale
Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.