VYPR
Vendor

Sonarsource

Products
3
CVEs
7
Across products
7
Status
Private

Products

3

Recent CVEs

7
  • CVE-2024-47910HigOct 4, 2024
    risk 0.47cvss 7.2epss 0.00

    An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.

  • CVE-2025-58178HigSep 2, 2025
    risk 0.44cvss 7.8epss 0.01

    SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed…

  • CVE-2025-59844HigSep 26, 2025
    risk 0.43cvss epss 0.02

    SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args…

  • CVE-2025-62292MedOct 10, 2025
    risk 0.28cvss 4.3epss 0.00

    In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.

  • CVE-2013-5676Dec 13, 2013
    risk 0.03cvss epss 0.05

    The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.

  • CVE-2024-47911Oct 4, 2024
    risk 0.00cvss epss 0.00

    In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.

  • CVE-2019-17579Oct 14, 2019
    risk 0.00cvss epss 0.01

    SonarSource SonarQube before 7.8 has XSS in project links on account/projects.