Vulnerability disclosure

Sonar security: We find, we fix.

Our commitment to code security extends beyond your application. Sonar’s dedicated security research team continuously identifies and responsibly discloses vulnerabilities across key open source projects and packages.

SeveritySoftwareImpactLinks
4.1
CVE-2025-53637

meshtastic/firmware

  • GitHub Actions
  • CI/CD

Repository Takeover

  • Command Injection
SonarQube CloudBlog
9.3
CVE-2025-61584

serverless-dns

  • GitHub Actions
  • CI/CD

Repository Takeover

  • Command Injection
SonarQube CloudBlog
6.5
CVE-2025-32779

EDDI

  • Java
  • AI

Remote Code Execution

  • Zip Slip
SonarQube CloudBlog
7.8
CVE-2025-25251

FortiClient

  • C++
  • Endpoint Protection

Privilege Escalation

  • PID Reuse
Blog
5.3
CVE-2025-22859

Fortinet EMS

  • Apache2
  • Endpoint Protection

Session Takeover

  • XSS
Blog
10
CVE-2024-1597

PgJDBC

  • Java
  • Database Client

SQL Injection

  • Command Injection
Blog
6.8
CVE-2025-2703

Grafana

  • TypeScript
  • Analytics

Session Takeover

  • XSS
SonarQube CloudBlog
10
CVE-2024-29201

JumpServer

  • Python
  • Privileged Access Management

Remote Code Execution

  • Validation Bypass
Blog
8.3
CVE-2024-35219

OpenAPI Generator

  • Java
  • API Management

File Read

  • Path Traversal
SonarQube CloudBlog
9.3
CVE-2024-42009

Roundcube

  • PHP
  • Webmail

Session Takeover

  • XSS
  • Desanitization
Blog
9.9
CVE-2024-39930

Gogs

  • Go
  • Source Code Hosting

Remote Code Execution

  • Argument Injection
Blog
6.2
CVE-2024-30270

Mailcow

  • PHP
  • Webmail

Remote Code Execution

  • File Write
SonarQube CloudBlog
Accéder à la page d’accueil de SonarSource
  • Suivez SonarSource sur Twitter
  • Suivez SonarSource sur Linkedin
language switcher
Français (French)
  • Documentation juridique
  • Trust Center

© 2025 SonarSource Sàrl. Tous droits réservés. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD et CLEAN AS YOU CODE sont des marques déposées de SonarSource Sàrl.