Sonarqube · Sonarqube · CVE-2025-58178
**Name of the Vulnerable Software and Affected Versions**
SonarQube versions 4 through 5.3.0
**Description**
SonarQube is a static analysis solution for continuous code quality and security inspection. A command injection issue was identified in the SonarQube Scan GitHub Action. Untrusted input arguments are processed without proper sanitization, allowing potential execution of arbitrary commands. Arguments sent to the action are treated as shell expressions.
**Recommendations**
Update to SonarQube Scan GitHub Action version 5.3.1 or later.