cve-analysis
Safeguard articles tagged "cve-analysis" — guides, analysis, and best practices for software supply chain and application security.
134 articles
systeminformation npm package command injection (CVE-2021-21315)
A critical command injection flaw in the systeminformation npm package (CVE-2021-21315) let attackers run OS commands via unsanitized shell calls. Here's the full breakdown.
node-forge prototype pollution/signature verification issue (CVE-2020-7712)
node-forge's RSA signature verification (CVE-2022-24771/24772) and prototype pollution (CVE-2020-7720) let attackers forge trust decisions across X.509, PKCS#7, and PKCS#12 flows.
CVE analysis: critical vulnerabilities in open source fin...
Log4Shell, Spring4Shell, and the Struts flaw behind Equifax: real CVEs still lurking in banking and fintech open source stacks, with fixes and detection tips.
browserslist ReDoS vulnerability (CVE-2021-23364)
A ReDoS flaw in browserslist (CVE-2021-23364) let crafted query strings stall builds across the JS ecosystem. Here's the full breakdown and fix.
tough-cookie prototype pollution (CVE-2023-26136)
CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.
Python setuptools package_index ReDoS (CVE-2022-40897)
CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.
CVE analysis: nation-state supply chain attacks on defens...
CVE analysis of nation-state supply chain attacks on defense contractors: SolarWinds SUNBURST and Ivanti Connect Secure exploitation, CVSS, KEV, and fixes.
CVE analysis: vulnerabilities in Open RAN and 5G core net...
An open RAN 5G core CVE analysis of the 5Ghoul modem flaws: affected components, CVSS/EPSS/KEV context, disclosure timeline, and practical remediation steps.
CVE analysis: Magecart and e-commerce JavaScript supply c...
A Magecart supply chain attack analysis of the CVEs and exploit chains behind skimmer campaigns on Adobe Commerce and Magento, plus how to defend checkout pages.
CVE analysis: vulnerabilities in SCADA and industrial con...
A SCADA industrial control CVE analysis of CVE-2018-8872, the Triconex Tricon flaw behind the TRITON safety-system attack — affected versions, CVSS context, timeline, and remediation.
Analysis of known MCP server CVEs and disclosed vulnerabi...
Two critical CVEs — in mcp-remote and Anthropic's MCP Inspector — reveal how MCP server vulnerabilities let untrusted servers execute code on client machines.
What is prototype pollution and why it keeps recurring in npm packages
Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.