Vulnerability disclosure

Sonar security: We find, we fix.

Our commitment to code security extends beyond your application. Sonar’s dedicated security research team continuously identifies and responsibly discloses vulnerabilities across key open source projects and packages.

SeveritySoftwareImpactLinks
4.1
CVE-2025-53637

meshtastic/firmware

  • GitHub Actions
  • CI/CD

Repository Takeover

  • Command Injection
SonarQube CloudBlog
9.3
CVE-2025-61584

serverless-dns

  • GitHub Actions
  • CI/CD

Repository Takeover

  • Command Injection
SonarQube CloudBlog
6.5
CVE-2025-32779

EDDI

  • Java
  • AI

Remote Code Execution

  • Zip Slip
SonarQube CloudBlog
7.8
CVE-2025-25251

FortiClient

  • C++
  • Endpoint Protection

Privilege Escalation

  • PID Reuse
Blog
5.3
CVE-2025-22859

Fortinet EMS

  • Apache2
  • Endpoint Protection

Session Takeover

  • XSS
Blog
10
CVE-2024-1597

PgJDBC

  • Java
  • Database Client

SQL Injection

  • Command Injection
Blog
6.8
CVE-2025-2703

Grafana

  • TypeScript
  • Analytics

Session Takeover

  • XSS
SonarQube CloudBlog
10
CVE-2024-29201

JumpServer

  • Python
  • Privileged Access Management

Remote Code Execution

  • Validation Bypass
Blog
8.3
CVE-2024-35219

OpenAPI Generator

  • Java
  • API Management

File Read

  • Path Traversal
SonarQube CloudBlog
9.3
CVE-2024-42009

Roundcube

  • PHP
  • Webmail

Session Takeover

  • XSS
  • Desanitization
Blog
9.9
CVE-2024-39930

Gogs

  • Go
  • Source Code Hosting

Remote Code Execution

  • Argument Injection
Blog
6.2
CVE-2024-30270

Mailcow

  • PHP
  • Webmail

Remote Code Execution

  • File Write
SonarQube CloudBlog
Go to SonarSource homepage
sonar logo
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin
language switcher
日本語 (Japanese)
  • 法的文書
  • トラスト センター

© 2025 SonarSource Sàrl.無断複写・転載を禁じます。