In October 2023, Sonar's Vulnerability Research Team discovered a critical code vulnerability (CVE-2023-46851) in the Apache Allura software used by SourceForge. This vulnerability could have allowed attackers to fully compromise SourceForge and spread malicious software to nearly 20 million users worldwide. The issue was fixed with Apache Allura version 1.16.0, and there were no signs of in-the-wild exploitation.