Safeguard
Topic

Vulnerability Management

In-depth guides and analysis on vulnerability management from the Safeguard engineering team.

133 articles

Vulnerability Management

Continuous vulnerability management: the discovery-to-verification lifecycle

CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.

Jul 8, 20267 min read
Vulnerability Management

Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation

crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.

Jul 8, 20266 min read
Vulnerability Management

The CUPS RCE Chain: A Technical Breakdown of CVE-2024-47176

Four medium-severity CUPS bugs chained into unauthenticated RCE on UDP/631 — a masterclass in why CVSS scores per-CVE miss the real risk of a vulnerability chain.

Jul 8, 20266 min read
Vulnerability Management

Inside CVE-2023-38545: the libcurl SOCKS5 heap overflow

A single off-by-length check in curl's SOCKS5 handshake, live for over three years across libcurl 7.69.0–8.3.x, earned a 9.8 CVSS score and a CWE-787 out-of-bounds write.

Jul 8, 20266 min read
Vulnerability Management

CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too

CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.

Jul 8, 20266 min read
Vulnerability Management

Exploitability vs. breakability: a practical rubric for vulnerability triage

CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.

Jul 8, 20267 min read
Vulnerability Management

HTTP/2 CONTINUATION Flood: Inside CVE-2024-27316 and the Frame-Based DoS Class

A single TCP connection with no END_HEADERS flag was enough to crash major HTTP/2 servers — worse than Rapid Reset, and it took the industry a decade to check for it.

Jul 8, 20267 min read
Vulnerability Management

HTTP/2 Rapid Reset: inside CVE-2023-44487

A single HTTP/2 feature let attackers hit 398 million requests per second. Here's how Rapid Reset (CVE-2023-44487) broke nearly every major web server at once.

Jul 8, 20266 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Vulnerability Management

The 10 most common code-level vulnerability classes, ranked by real-world data

MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.

Jul 8, 20268 min read
Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
Vulnerability Management

What PHP's use-after-free bugs teach us about dynamic-runtime memory safety

Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.

Jul 8, 20266 min read
Vulnerability Management (Page 2) — Supply Chain Security Blog | Safeguard