GitHub Actions package
SonarSource/sonarqube-scan-action
pkg:github/SonarSource/sonarqube-scan-action
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59844 | Hig | — | >= 4.0.0, < 6.0.0 | 6.0.0 | Sep 26, 2025 | SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args paramet | |
| CVE-2025-58178 | Hig | 7.8 | >= 4.0.0, < 5.3.1 | 5.3.1 | Sep 2, 2025 | SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without |
- affected >= 4.0.0, < 6.0.0fixed 6.0.0
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args paramet
- affected >= 4.0.0, < 5.3.1fixed 5.3.1
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without