Active CVEs in a production compliance platform. Audit scheduled. Limited team capacity. Every new feature built on a deprecated foundation.
Situation
You're the lead engineer at a compliance SaaS platform. Your GraphQL stack is 2+ years outdated. A security scan just flagged two active CVEs: a DoS vulnerability via malicious file uploads and a SQL injection vector in the type system. A compliance audit is scheduled in 6 weeks. Your team is 3 engineers — one is mid-sprint on a customer feature.
Stakes
Two active CVEs in production. Audit in 6 weeks. Team of 3. What's your approach?