Safeguard
Tag

cve

Safeguard articles tagged "cve" — guides, analysis, and best practices for software supply chain and application security.

136 articles

Vulnerability Analysis

WebP (CVE-2023-4863) Explained: The libwebp Heap Overflow That Patched the Web

CVE-2023-4863 was an actively exploited heap buffer overflow in libwebp's Huffman decoder. Because the codec is vendored everywhere, one bug forced emergency patches across browsers and apps.

Jul 3, 20266 min read
Vulnerability Analysis

GitHub Advisory Database: 30,000+ curated advisories beyo...

GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.

Jul 3, 20267 min read
Vulnerability Analysis

Apache Struts (CVE-2017-5638) Explained: The OGNL Header That Breached Equifax

CVE-2017-5638 let attackers run commands on Apache Struts 2 servers through a crafted Content-Type header. It is the unpatched flaw behind the Equifax breach. Here is the OGNL mechanism.

Jul 2, 20265 min read
Vulnerability Analysis

ProxyShell (CVE-2021-34473) Explained: The Exchange Path Confusion Behind a Pre-Auth RCE Chain

CVE-2021-34473 is the path-confusion flaw at the head of ProxyShell — a three-bug Microsoft Exchange chain that took unauthenticated attackers all the way to remote code execution.

Jul 2, 20265 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965) Explained: RCE Through Spring Data Binding

CVE-2022-22965, Spring4Shell, let attackers write a JSP web shell to Spring MVC apps on JDK 9+ by abusing data binding. Here is the ClassLoader trick and the exact conditions required.

Jul 2, 20265 min read
Vulnerability Analysis

Heartbleed (CVE-2014-0160) Explained: When OpenSSL Leaked Memory to Anyone

CVE-2014-0160, Heartbleed, let remote attackers read up to 64KB of an OpenSSL server's memory per request — private keys, sessions, passwords. Here is the missing bounds check that caused it.

Jul 1, 20266 min read
Tutorials

How to Read a CVE: A Beginner's Guide

A plain-language walkthrough of what a CVE record contains and how to read one — the ID, description, CVSS score, CWE, affected versions, and whether a fix exists.

Jul 1, 20265 min read
Vulnerability Analysis

ProxyLogon (CVE-2021-26855) Explained: The Exchange SSRF That Opened a Pre-Auth Door

CVE-2021-26855, ProxyLogon, is a server-side request forgery in Microsoft Exchange that let unauthenticated attackers impersonate the server — the first link in a chain to full remote code execution.

Jul 1, 20265 min read
Vulnerability Analysis

PwnKit (CVE-2021-4034) Explained: Root From a 12-Year-Old Polkit Bug

CVE-2021-4034, aka PwnKit, is a memory-corruption flaw in polkit's pkexec that gives any local user reliable root on nearly every Linux distribution. Here is how it works and how to close it.

Jul 1, 20265 min read
Concepts

What Is a CVE? Understanding Vulnerability IDs

A CVE is a unique public ID given to a specific known security weakness, so everyone can talk about the same flaw without confusion. Here's how the system works.

Jul 1, 20266 min read
Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
Strategy

Cost-Per-Verified-Finding: How Agentic AI Breaks Vulnerability Triage

Agentic AI can generate findings faster than any team can read them. The metric that survives that flood isn't cost-per-finding, it's cost-per-verified-finding. Here's why verification is now the bottleneck.

Jun 18, 20267 min read
cve (Page 3) — Safeguard Blog