Safeguard
Topic

Vulnerability Management

In-depth guides and analysis on vulnerability management from the Safeguard engineering team.

133 articles

Vulnerability Management

CVE-2021-45105: the Log4j denial-of-service flaw recursion built

CVE-2021-45105 scored CVSS 5.9 and let a single crafted lookup string crash a JVM with a StackOverflowError — no RCE required, just uncontrolled recursion.

Jul 16, 20266 min read
Vulnerability Management

When CVSS Scoring Misleads Severity Context

Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.

Jul 16, 20267 min read
Vulnerability Management

CVE-2022-31692: how a forward dispatch bypassed Spring Security authorization

A CVSS 9.8 flaw let a single internal forward skip Spring Security's URL-based access checks entirely — here's the root cause and the exact config fix.

Jul 15, 20266 min read
Vulnerability Management

Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE

CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.

Jul 12, 20266 min read
Vulnerability Management

Inside the OpenSSL punycode bug: why CVE-2022-3602 wasn't Heartbleed

OpenSSL pre-announced a 'critical' flaw in October 2022. It shipped as HIGH severity. Here's the buffer overflow, the downgrade, and the safe patch path.

Jul 12, 20265 min read
Vulnerability Management

Root cause: CVE-2022-40764, the Snyk CLI command injection

A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.

Jul 12, 20266 min read
Vulnerability Management

CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration

A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.

Jul 11, 20267 min read
Vulnerability Management

Reachability analysis for vulnerability triage

Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.

Jul 10, 20265 min read
Vulnerability Management

Vulnerability fatigue and the case for risk-based prioritization

48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.

Jul 10, 20267 min read
Vulnerability Management

CVE-2025-29927: inside the Next.js middleware auth bypass

A single spoofed header let attackers skip Next.js middleware entirely — CVSS 9.1, four major versions affected, exploited in the wild within days.

Jul 9, 20266 min read
Vulnerability Management

SBOM-based blast radius analysis for vulnerable dependencies

An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.

Jul 9, 20266 min read
Vulnerability Management

A prioritization framework for triaging security alerts at scale

Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.

Jul 9, 20267 min read
Vulnerability Management — Supply Chain Security Blog | Safeguard