N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59844

GHSA ID

GHSA-5xq9-5g24-4g6f

EPSS Score

0.5316%

CWE

CWE-78

Published

9/26/2025

Updated

9/26/2025

KEV Status

Technology

GitHub Actions

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59844

CVE-2025-59844: Argument injection vulnerability in SonarQube Scan Action

A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.

Patches

The vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later.

References

Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281
Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59844

GHSA ID

GHSA-5xq9-5g24-4g6f

EPSS Score

0.5316%

CWE

CWE-78

Published

9/26/2025

Updated

9/26/2025

KEV Status

Technology

GitHub Actions

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SonarSource/sonarqube-scan-action	actions	>= 4.0.0, < 6.0.0	6.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility *xists in Son*rQu** *it*u* **tion prior to v*.*.* w**n work*lows p*ss us*r-*ontroll** input to t** *r*s p*r*m*t*r on Win*ows runn*rs wit*out prop*r v*li**tion. T*is vuln*r**ility *yp*ss*s * pr*vious s**urity *ix *n*

Reasoning

No *n*lysis *v*il**l*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-59844: Argument injection vulnerability in SonarQube Scan Action

Patches

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI