cve severity scores - Blog_Thumbnail

Where Severity Scores Go Wrong: “Just Add Prototype Pollution”

At JFrog, our Security Research team continuously monitors and analyzes newly disclosed CVEs across the open-source ecosystem. Throughout our research, we have repeatedly observed cases where the assigned severity score does not accurately reflect a vulnerability’s real-world impact or exploitability. In fact, during 2025, JFrog researchers reassessed NVD critical-severity vulnerabilities and concluded that 96% warranted …

repohunter, ci/cd security, github actions, shai hulud, supply chain attack, cybersecurity, ai, devsecops, vulnerability research, pwn request, open source, ansible, software security

How JFrog’s AI-Research Bot Found OSS CI/CD Vulnerabilities to Prevent Shai Hulud 3.0

Recent incidents have proven that Continuous Integration (CI) workflows are the new battleground for software supply chain attacks. Security Pitfalls in GitHub Actions workflows, such as the unsanitized use of pull request (PR) data, can allow attackers to execute malicious code during CI runs with devastating consequences. For example, the high-profile “S1ngularity” attack on the …