Safeguard
Tag

cve

Safeguard articles tagged "cve" — guides, analysis, and best practices for software supply chain and application security.

136 articles

Application Security

URL parser confusion: how inconsistent parsing enables SSRF and auth bypass

Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.

Jul 16, 20266 min read
Supply Chain Security

A patching playbook for critical open-source CVEs

Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.

Jul 13, 20266 min read
Container Security

A Practical Container Security Checklist: From Base Image to Runtime

Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.

Jul 10, 20266 min read
Vulnerability Analysis

curl SOCKS5 Heap Overflow (CVE-2023-38545) Explained: When a Long Hostname Broke the Handshake

CVE-2023-38545 is a heap buffer overflow in curl and libcurl's SOCKS5 proxy handshake, triggered when a too-long hostname is copied into a fixed buffer during a slow handshake. Here is the bug.

Jul 8, 20266 min read
Concepts

CVE vs CWE: What's the Difference?

A CVE identifies one specific vulnerability in one product; a CWE names the underlying type of weakness that caused it. Here's how the two systems differ and how they work together.

Jul 8, 20267 min read
Vulnerability Analysis

Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices

CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.

Jul 8, 20266 min read
Concepts

What Is Vulnerability Management? A Complete Explanation

Vulnerability management is the continuous, cyclical process of identifying, prioritizing, remediating, and verifying security weaknesses across your software and systems. Here's the full lifecycle and how to run it without drowning in findings.

Jul 8, 20267 min read
Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
Vulnerability Management

CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong

One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.

Jul 8, 20267 min read
Vulnerability Analysis

regreSSHion (CVE-2024-6387) Explained: A Signal-Handler Race That Reopened an Old OpenSSH RCE

CVE-2024-6387, regreSSHion, is an unauthenticated remote code execution flaw in OpenSSH's sshd caused by a signal-handler race — a regression of a bug fixed back in 2006.

Jul 7, 20266 min read
cve — Safeguard Blog