Sonarsource
Products
3- 4 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-47910 | Hig | 0.47 | 7.2 | 0.00 | Oct 4, 2024 | An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. | ||
| CVE-2025-58178 | Hig | 0.44 | 7.8 | 0.01 | Sep 2, 2025 | SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed… | ||
| CVE-2025-59844 | Hig | 0.43 | — | 0.02 | Sep 26, 2025 | SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args… | ||
| CVE-2025-62292 | Med | 0.28 | 4.3 | 0.00 | Oct 10, 2025 | In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts. | ||
| CVE-2013-5676 | 0.03 | — | 0.05 | Dec 13, 2013 | The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure. | |||
| CVE-2024-47911 | 0.00 | — | 0.00 | Oct 4, 2024 | In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands. | |||
| CVE-2019-17579 | 0.00 | — | 0.01 | Oct 14, 2019 | SonarSource SonarQube before 7.8 has XSS in project links on account/projects. |
- risk 0.47cvss 7.2epss 0.00
An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.
- risk 0.44cvss 7.8epss 0.01
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed…
- risk 0.43cvss —epss 0.02
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args…
- risk 0.28cvss 4.3epss 0.00
In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.
- CVE-2013-5676Dec 13, 2013risk 0.03cvss —epss 0.05
The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.
- CVE-2024-47911Oct 4, 2024risk 0.00cvss —epss 0.00
In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.
- CVE-2019-17579Oct 14, 2019risk 0.00cvss —epss 0.01
SonarSource SonarQube before 7.8 has XSS in project links on account/projects.