vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
GitHub Advisory Database: 30,000+ curated advisories beyo...
GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.
Log4j Log4Shell vulnerability explained CVE-2021-44228
Log4Shell (CVE-2021-44228) let attackers gain RCE via a single logged string. Here's the CVSS/EPSS/KEV context, timeline, and how to remediate it.
Inside the GitHub Advisory Database: how vulnerability re...
How vulnerability records actually get into the GitHub Advisory Database — curation, CNA status, GHAS enrichment, and the gaps in severity and version data teams should watch for.
NVD in the AI era: multi-source vulnerability intelligence
NVD's 2024 enrichment backlog exposed the risk of a single vulnerability feed. Here's how multi-source data and AI triage close the gap.
What is a known vulnerability?
A known vulnerability is a publicly disclosed, CVE-tracked flaw — and disclosure alone doesn't mean it's fixed, patched, or harmless.
Understanding CVSS scoring for vulnerabilities
CVSS scores run 0-10, but a 9.8 doesn't always mean patch tonight. Here's how base scores are calculated and why context beats the number.
When is a CVE not a CVE?
Not all CVEs are equal: NVD's 2024 backlog, disputed curl CVEs, and duplicate OpenSSL bugs show why CVE quality varies wildly.
Vulnerability vs weakness: CVE vs CWE explained
CVE identifies one specific vulnerability; CWE identifies the weakness pattern behind it. Here's how the two taxonomies connect and why both matter.
The CWE Top 25 most dangerous software weaknesses
MITRE's 2023 CWE Top 25 ranks the software weaknesses behind 43,996 CVEs. Here's how it's scored, what moved, and how to prioritize fixes.
CVE-2025-29927: Next.js middleware authorization bypass
A spoofable internal header let attackers skip Next.js middleware outright, bypassing auth and route protection across many production deployments.
React Server Components RCE vulnerability advisory
CVE-2025-29927 lets attackers bypass Next.js middleware auth with a forged header — a chain that can escalate to full RCE on React Server Components apps.
Palo Alto PAN-OS CVE-2026-0265: CAS Signature-Verification Auth Bypass (May 2026)
Palo Alto disclosed CVE-2026-0265 on May 13, 2026, a cryptographic-signature-verification flaw in Cloud Authentication Service that bypasses PAN-OS authentication. Researchers claim live GlobalProtect portal bypasses. Full analysis.