cve
Safeguard articles tagged "cve" — guides, analysis, and best practices for software supply chain and application security.
136 articles
URL parser confusion: how inconsistent parsing enables SSRF and auth bypass
Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
A Practical Container Security Checklist: From Base Image to Runtime
Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.
curl SOCKS5 Heap Overflow (CVE-2023-38545) Explained: When a Long Hostname Broke the Handshake
CVE-2023-38545 is a heap buffer overflow in curl and libcurl's SOCKS5 proxy handshake, triggered when a too-long hostname is copied into a fixed buffer during a slow handshake. Here is the bug.
CVE vs CWE: What's the Difference?
A CVE identifies one specific vulnerability in one product; a CWE names the underlying type of weakness that caused it. Here's how the two systems differ and how they work together.
Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices
CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.
What Is Vulnerability Management? A Complete Explanation
Vulnerability management is the continuous, cyclical process of identifying, prioritizing, remediating, and verifying security weaknesses across your software and systems. Here's the full lifecycle and how to run it without drowning in findings.
What the curl CVE disclosures teach about patching embedded C libraries
curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong
One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.
regreSSHion (CVE-2024-6387) Explained: A Signal-Handler Race That Reopened an Old OpenSSH RCE
CVE-2024-6387, regreSSHion, is an unauthenticated remote code execution flaw in OpenSSH's sshd caused by a signal-handler race — a regression of a bug fixed back in 2006.