CVE-2026-44219 ciguard: SCA HTTP client reads response body without size cap

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date /...

lw-cnapp-microservices-iac

Project 2: Microservices with Infrastructure as Code ⚠️ WAR...

CVE-2025-0504

Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible...

CVE-2025-0504

Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible...

EUVD-2023-2227

Malicious code in bioql PyPI...

Elevate Your Container Security with QScanner in 2025

Securing container images is more important than ever in the dynamic world of cloud-native technologies. Organizations have long utilized reliable solutions from Qualys to scan their images, ensuring applications run smoothly and securely. These tools have played a crucial role in maintaining the...

De-risk the Software Supply Chain by Expanding Unparalleled Detection Coverage With Qualys VMDR and Software Composition Analysis

QIDs/CVEs When it comes to cybersecurity, speed is key in getting an edge over attackers. But when you consider that vulnerabilities weaponize 24 days faster than then they are remediated on average, cybersecurity stakeholders have a lot of catching up to do. While there are many ways defenders c...

Exploit for Out-of-bounds Write in Hutool

json.org CVE-2022-45688 false positive The project contains...

Exploit for Out-of-bounds Write in Hutool

json.org CVE-2022-45688 true positive The project illustrate...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4shell false positive This is a simple web project with a...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4shell true positive This is a simple web project with a...

Discover and Assess the Risk of Embedded Open-Source Software (OSS) Vulnerabilities

Runtime Software Composition Analysis with the Qualys Cloud Agent In a blog post published last week, we discussed the importance of managing risk across software developed in-house. A great deal of that risk is introduced by vulnerabilities in open-source packages like Log4Shell, OpenSSL, etc...

Qualys Is the Outperformer in the New GigaOm Radar Report for Continuous Vulnerability Management

GigaOm has unveiled its third-annual Radar for Continuous Vulnerability Management featuring Qualys. In this Report, GigaOm provides a detailed analysis of the value and progression of vulnerability management VM capabilities to help organizations build the best security and vulnerability...

CVE-2023-40024

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

Cross site scripting

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

CVE-2023-40024 Reflected Cross-Site Scripting (XSS) in scancode.io license endpoint

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

CVE-2023-39523

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

Command injection

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

CVE-2023-39523

CVE-2023-39523 affects ScanCode.io prior to 32.5.1. The vulnerability is a command injection in fetch_docker_image: docker_reference is user-controlled and passed to get_docker_image_platform, which builds a shell command that is executed without sanitization. A malicious user could inject comman...

CVE-2023-39523 ScanCode.io command injection in docker image fetch process

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...