SonarSource Sonarqube
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in SonarSource Sonarqube.
By the Year
In 2026 there have been 1 vulnerability in SonarSource Sonarqube with an average score of 7.8 out of ten. Last year, in 2025 Sonarqube had 2 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.50.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.80 |
| 2025 | 2 | 4.30 |
| 2024 | 3 | 6.50 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 6.40 |
| 2019 | 1 | 0.00 |
| 2018 | 1 | 4.30 |
It may take a day or so for new Sonarqube vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SonarSource Sonarqube Security Vulnerabilities
SonarQube 8.3.1 Unquoted Service Path Exploit to SYSTEM Privileges
CVE-2020-37020
7.8 - High
- January 29, 2026
SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart.
Unquoted Search Path or Element
SonarQube <=25.6: LowPriv Users Leak AdminOnly Email via /api/v2/users
CVE-2025-62292
4.3 - Medium
- October 10, 2025
In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.
Incorrect Resource Transfer Between Spheres
Command Injection in SonarQube GitHub Action 4.0.0<6.0.0 (Windows)
CVE-2025-59844
- September 26, 2025
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. A command injection vulnerability exists in SonarQube GitHub Action in version 4.0.0 to before version 6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment. The vulnerability has been fixed in version 6.0.0. Users should upgrade to this version or later.
Shell injection
Blind SQLi via group-memberships API in SonarQube 10.4-10.5 (Admin)
CVE-2024-47911
- October 04, 2024
In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.
SonarQube <10.5 Admin Exploits GitHub JWT Exfiltration
CVE-2024-47910
- October 04, 2024
An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.
SonarQube <10.4/9.9.4 LTA: Settings Encryption values exposed in logs
CVE-2024-38460
6.5 - Medium
- June 16, 2024
In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
Insertion of Sensitive Information into Log File
In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner
CVE-2020-28002
5.3 - Medium
- November 02, 2020
In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint.
authentification
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI
CVE-2020-27986
7.5 - High
- October 28, 2020
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.
Missing Authentication for Critical Function
SonarSource SonarQube before 7.8 has XSS in project links on account/projects.
CVE-2019-17579
- October 14, 2019
SonarSource SonarQube before 7.8 has XSS in project links on account/projects.
A vulnerability in the API of SonarSource SonarQube before 7.4 could
CVE-2018-19413
4.3 - Medium
- December 14, 2018
A vulnerability in the API of SonarSource SonarQube before 7.4 could allow an authenticated user to discover sensitive information such as valid user-account logins in the web application. The vulnerability occurs because of improperly configured access controls that cause the API to return the externalIdentity field to non-administrator users. The attacker could use this information in subsequent attacks against the system.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for SonarSource Sonarqube or by SonarSource? Click the Watch button to subscribe.
