Tools / AdalFlow / Security

Security Deep Dive

AdalFlow

Security posture and CVE patch evidence from tracked releases.

Back to Tool

13 critical dependency CVEs affects v1.1.3.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Monthly cadence · 23d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present

Signed releases Unknown

Latest release artifact signature Latest release

—

SLSA provenance Unknown

Attestation predicate level Latest release

—

SBOM published Present

GitHub SBOM API Latest release

Last verified: 28d ago

SECURITY.md Absent

GitHub repository metadata Repository policy

Checked: 23d ago

Release cadence: monthly Present

23d median over recent releases Release history

Latest release: 8mo ago

Maintainer active Present

Recent commit activity Repository

Last commit: 5d ago

Checksums (SHA256SUMS) Not active yet

SHA256SUMS or equivalent Release asset

Latest release: 8mo ago

GitHub Actions attestation Not active yet

actions/attest-build-provenance Workflow file

Latest release: 8mo ago

Signing assets Not active yet

.sig, .crt, cosign.pub, or similar Release asset

Latest release: 8mo ago

3.8/10 Security Score

Dependency Exposure 139 transitive dependency CVEs found in the latest SBOM. 13 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

5d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 13c/61h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 5d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none

How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100

13 Transitive critical CVEs

0 KEV-transitive CVEs

27% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

473 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

High

Medium

Low

Unknown

Still affecting latest (125) All (139)

Critical 13 High 61 Medium 46 Low 18 Unknown 1

CVE	Severity	KEV	Dependency	Affected version	Cleared in release
CVE-2017-18342	critical	—	pyyaml	—	—
CVE-2019-20477	critical	—	pyyaml	—	—
CVE-2019-6446	critical	—	numpy	—	—
CVE-2020-14343	critical	—	pyyaml	—	—
CVE-2020-1747	critical	—	pyyaml	—	—
CVE-2024-8309	critical	—	langchain-community	0.2.19	—
CVE-2025-14009	critical	—	nltk	3.9.1	—
CVE-2025-15036	critical	—	mlflow	3.1.4	—
CVE-2025-15379	critical	—	mlflow	3.1.4	—
CVE-2025-68664	critical	—	langchain-core	0.2.43	—
CVE-2026-0545	critical	—	mlflow	3.1.4	—
CVE-2026-2635	critical	—	mlflow	3.1.4	—
CVE-2026-35030	critical	—	litellm	1.74.9.post1	—
CVE-2014-1858	high	—	numpy	—	—
CVE-2014-1859	high	—	numpy	—	—
CVE-2016-10075	high	—	tqdm	—	—
CVE-2017-12852	high	—	numpy	—	—
CVE-2021-41495	high	—	numpy	—	—
CVE-2024-37059	high	—	mlflow	3.1.4	—
CVE-2025-10279	high	—	mlflow	3.1.4	—
CVE-2025-14279	high	—	mlflow	3.1.4	—
CVE-2025-14287	high	—	mlflow	3.1.4	—
CVE-2025-15031	high	—	mlflow	3.1.4	—
CVE-2025-15381	high	—	mlflow	3.1.4	—
CVE-2025-53000	high	—	nbconvert	7.16.4	—
CVE-2025-62727	high	—	starlette	0.47.2	—
CVE-2025-65106	high	—	langchain-core	0.2.43	—
CVE-2025-66416	high	—	mcp	1.12.3	—
CVE-2025-66418	high	—	urllib3	2.5.0	—
CVE-2025-66471	high	—	urllib3	2.5.0	—
CVE-2025-67221	high	—	orjson	3.11.1	—
CVE-2025-69223	high	—	aiohttp	3.12.15	—
CVE-2025-6984	high	—	langchain-community	0.2.19	—
CVE-2025-6985	high	—	langchain-text-splitters	0.2.4	—
CVE-2026-0846	high	—	nltk	3.9.1	—
CVE-2026-0847	high	—	nltk	3.9.1	—
CVE-2026-0994	high	—	protobuf	5.29.5	—
CVE-2026-2033	high	—	mlflow	3.1.4	—
CVE-2026-21226	high	—	azure-core	1.35.0	—
CVE-2026-21441	high	—	urllib3	2.5.0	—
CVE-2026-23490	high	—	pyasn1	0.6.1	—
CVE-2026-24486	high	—	python-multipart	0.0.20	—
CVE-2026-25990	high	—	pillow	11.3.0	—
CVE-2026-26007	high	—	cryptography	45.0.5	—
CVE-2026-30922	high	—	pyasn1	0.6.1	—
CVE-2026-31958	high	—	tornado	6.5.1	—
CVE-2026-32274	high	—	black	24.10.0	—
CVE-2026-32597	high	—	pyjwt	2.10.1	—
CVE-2026-32874	high	—	ujson	5.10.0	—
CVE-2026-32875	high	—	ujson	5.10.0	—
CVE-2026-33079	high	—	mistune	3.1.3	—
CVE-2026-33231	high	—	nltk	3.9.1	—
CVE-2026-33236	high	—	nltk	3.9.1	—
CVE-2026-34070	high	—	langchain-core	0.2.43	—
CVE-2026-35029	high	—	litellm	1.74.9.post1	—
CVE-2026-35397	high	—	jupyter-server	2.16.0	—
CVE-2026-35536	high	—	tornado	6.5.1	—
CVE-2026-40110	high	—	jupyter-server	2.16.0	—
CVE-2026-40171	high	—	jupyterlab	4.4.5	—
CVE-2026-40171	high	—	notebook	7.4.4	—
CVE-2026-40192	high	—	pillow	11.3.0	—
CVE-2026-40934	high	—	jupyter-server	2.16.0	—
CVE-2026-42215	high	—	gitpython	3.1.45	—
CVE-2026-42266	high	—	jupyterlab	4.4.5	—
CVE-2026-42271	high	—	litellm	1.74.9.post1	—
CVE-2026-42284	high	—	gitpython	3.1.45	—
CVE-2026-42311	high	—	pillow	11.3.0	—
CVE-2026-42557	high	—	jupyterlab	4.4.5	—
CVE-2026-42557	high	—	notebook	7.4.4	—
CVE-2026-42561	high	—	python-multipart	0.0.20	—
CVE-2026-44243	high	—	gitpython	3.1.45	—
CVE-2026-44244	high	—	gitpython	3.1.45	—
CVE-2026-44307	high	—	mako	1.3.10	—
GHSA-69x8-hrgq-fjj8	high	—	litellm	1.74.9.post1	—
CVE-2021-33430	medium	—	numpy	—	—
CVE-2021-34141	medium	—	numpy	—	—
CVE-2021-41496	medium	—	numpy	—	—
CVE-2025-12695	medium	—	dspy	2.6.27	—
CVE-2025-3730	medium	—	torch	2.7.1	—
CVE-2025-50181	medium	—	urllib3	1.26.20	—
CVE-2025-57804	medium	—	h2	4.2.0	—
CVE-2025-61669	medium	—	jupyter-server	2.16.0	—
CVE-2025-66034	medium	—	fonttools	4.59.0	—
CVE-2025-66221	medium	—	werkzeug	3.1.3	—
CVE-2025-68146	medium	—	filelock	3.18.0	—
CVE-2025-68480	medium	—	marshmallow	3.26.1	—
CVE-2025-69227	medium	—	aiohttp	3.12.15	—
CVE-2025-69228	medium	—	aiohttp	3.12.15	—
CVE-2025-69229	medium	—	aiohttp	3.12.15	—
CVE-2025-69872	medium	—	diskcache	5.6.3	—
CVE-2025-71176	medium	—	pytest	8.4.1	—
CVE-2026-1839	medium	—	transformers	4.54.1	—
CVE-2026-21860	medium	—	werkzeug	3.1.3	—
CVE-2026-22701	medium	—	filelock	3.18.0	—
CVE-2026-22702	medium	—	virtualenv	20.32.0	—
CVE-2026-22815	medium	—	aiohttp	3.12.15	—
CVE-2026-25645	medium	—	requests	2.32.4	—
CVE-2026-27199	medium	—	werkzeug	3.1.3	—
CVE-2026-28684	medium	—	python-dotenv	1.1.1	—
CVE-2026-33230	medium	—	nltk	3.9.1	—
CVE-2026-33865	medium	—	mlflow	3.1.4	—
CVE-2026-33866	medium	—	mlflow	3.1.4	—
CVE-2026-34515	medium	—	aiohttp	3.12.15	—
CVE-2026-34516	medium	—	aiohttp	3.12.15	—
CVE-2026-34525	medium	—	aiohttp	3.12.15	—
CVE-2026-39377	medium	—	nbconvert	7.16.4	—
CVE-2026-39378	medium	—	nbconvert	7.16.4	—
CVE-2026-39892	medium	—	cryptography	45.0.5	—
CVE-2026-40087	medium	—	langchain-core	0.2.43	—
CVE-2026-40347	medium	—	python-multipart	0.0.20	—
CVE-2026-40491	medium	—	gdown	5.2.0	—
CVE-2026-41182	medium	—	langsmith	0.1.147	—
CVE-2026-41205	medium	—	mako	1.3.10	—
CVE-2026-41481	medium	—	langchain-text-splitters	0.2.4	—
CVE-2026-42308	medium	—	pillow	11.3.0	—
CVE-2026-42309	medium	—	pillow	11.3.0	—
CVE-2026-42310	medium	—	pillow	11.3.0	—
GHSA-27jp-wm6q-gp25	medium	—	sqlparse	0.5.3	—
GHSA-78cv-mqj4-43f7	medium	—	tornado	6.5.1	—
GHSA-rf74-v2fm-23pw	medium	—	nltk	3.9.1	—
CVE-2024-12797	low	—	cryptography	43.0.3	—
CVE-2024-34062	low	—	tqdm	—	—
CVE-2025-59842	low	—	jupyterlab	4.4.5	—
CVE-2025-69224	low	—	aiohttp	3.12.15	—
CVE-2025-69225	low	—	aiohttp	3.12.15	—
CVE-2025-69226	low	—	aiohttp	3.12.15	—
CVE-2025-69230	low	—	aiohttp	3.12.15	—
CVE-2026-26013	low	—	langchain-core	0.2.43	—
CVE-2026-27205	low	—	flask	3.1.1	—
CVE-2026-34073	low	—	cryptography	45.0.5	—
CVE-2026-34513	low	—	aiohttp	3.12.15	—
CVE-2026-34514	low	—	aiohttp	3.12.15	—
CVE-2026-34517	low	—	aiohttp	3.12.15	—
CVE-2026-34518	low	—	aiohttp	3.12.15	—
CVE-2026-34519	low	—	aiohttp	3.12.15	—
CVE-2026-34520	low	—	aiohttp	3.12.15	—
CVE-2026-41488	low	—	langchain-openai	0.1.25	—
CVE-2026-4539	low	—	pygments	2.19.2	—
CVE-2022-42969	unknown	—	py	1.11.0	—

Showing 139 of 139