SonarSource SonarSource Code Quality and Code Security tools

  1. Vendors
  2. SonarSource

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any SonarSource product.

RSS Feeds for SonarSource security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in SonarSource products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by SonarSource Sorted by Most Security Vulnerabilities since 2018

SonarSource Sonarqube10 vulnerabilities

SonarSource Sonarqube Docker Image1 vulnerability

SonarSource Sonarqube Scanner1 vulnerability

By the Year

In 2026 there have been 1 vulnerability in SonarSource with an average score of 7.8 out of ten. Last year, in 2025 SonarSource had 2 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.50.




Year Vulnerabilities Average Score
2026 1 7.80
2025 2 4.30
2024 3 6.50
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 3 7.53
2019 2 7.80
2018 1 4.30

It may take a day or so for new SonarSource vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent SonarSource Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2020-37020 Jan 29, 2026
SonarQube 8.3.1 Unquoted Service Path Exploit to SYSTEM Privileges SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart.
Sonarqube
CVE-2025-62292 Oct 10, 2025
SonarQube <=25.6: LowPriv Users Leak AdminOnly Email via /api/v2/users In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.
Sonarqube
CVE-2025-59844 Sep 26, 2025
Command Injection in SonarQube GitHub Action 4.0.0<6.0.0 (Windows) SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. The vulnerability has been fixed in version 6.0.0. Users should upgrade to this version or later.
Sonarqube
CVE-2024-47911 Oct 04, 2024
Blind SQLi via group-memberships API in SonarQube 10.4-10.5 (Admin) In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.
Sonarqube
CVE-2024-47910 Oct 04, 2024
SonarQube <10.5 Admin Exploits GitHub JWT Exfiltration An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.
Sonarqube
CVE-2024-38460 Jun 16, 2024
SonarQube <10.4/9.9.4 LTA: Settings Encryption values exposed in logs In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
Sonarqube
CVE-2020-35193 Dec 16, 2020
The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
Sonarqube Docker Image
CVE-2020-28002 Nov 02, 2020
In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint.
Sonarqube
CVE-2020-27986 Oct 28, 2020
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.
Sonarqube
CVE-2019-17579 Oct 14, 2019
SonarSource SonarQube before 7.8 has XSS in project links on account/projects. SonarSource SonarQube before 7.8 has XSS in project links on account/projects.
Sonarqube
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.