Skip to content
Tools / app / Security

Security Deep Dive

app

Security posture and CVE patch evidence from tracked releases.

Back to Tool

16 high-severity dependency CVEs affects v4.81.2.

Review the dependency vulnerabilities below.

✗ Signed ✗ SLSA — SBOM ✓ Security policy Weekly cadence · 1d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Absent
Latest release artifact signature None
Last verified: 4d ago
SLSA provenance Absent
Attestation predicate level Latest release
Last verified: 4d ago
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
1d median over recent releases Release history
Latest release: 6d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 5d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 6d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 6d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 6d ago
5.0/10 Security Score
5.7/10 Scorecard
Dependency Exposure 84 transitive dependency CVEs found in the latest SBOM.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

5d stale

scorecard

2.28 / 4.0

Score 5.7/10

cve health

1.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 62.4/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

4.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

3.8

10%

supply chain risk: 62.36 transitive cves: 1c/29h

Provenance trust

provenance trust

5.7

40%

scorecard score: 5.7 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 5d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 62.4/100
0 Transitive critical CVEs
0 KEV-transitive CVEs
82% Dependency freshness

Scorecard

Scorecard 5.7/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 3 Found 7/18 approved changesets -- score normalized to 3
Maintained 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow 10 no dangerous workflow patterns detected
Security-Policy 10 security policy file detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts 10 no binaries found in the repo
License 10 license file detected
Signed-Releases -1 no releases found
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing 0 project is not fuzzed
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0
SAST 0 SAST tool is not run on all commits -- score normalized to 0
Packaging 10 packaging workflow detected

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

242 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

0

High

16

Medium

50

Low

16

Unknown

2

Still affecting latest (84) All (116)
High 16 Medium 50 Low 16 Unknown 2
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2020-25658 high rsa 4.6 v4.80.5
CVE-2023-25577 high werkzeug 1.0.1 v4.80.5
CVE-2023-30861 high flask 1.1.2 v4.80.5
CVE-2023-52323 high pycryptodome 3.9.8 v4.80.5
CVE-2024-23334 high aiohttp 3.8.4 v4.80.5
CVE-2024-30251 high aiohttp 3.8.4 v4.80.5
CVE-2024-34069 high werkzeug 1.0.1 v4.80.5
CVE-2024-4340 high sqlparse 0.4.4 v4.80.5
CVE-2024-6221 high flask-cors 3.0.9 v4.80.5
CVE-2025-66418 high urllib3 1.26.20 v4.80.5
CVE-2025-66471 high urllib3 1.26.20 v4.80.5
CVE-2025-69223 high aiohttp 3.8.4 v4.80.5
CVE-2026-21441 high urllib3 1.26.20 v4.80.5
CVE-2026-30922 high pyasn1 0.4.8 v4.80.5
CVE-2026-32597 high pyjwt 2.4.0 v4.80.5
CVE-2026-44307 high mako 1.2.4 v4.80.5
CVE-2022-3102 medium jwcrypto 0.8 v4.80.5
CVE-2022-40896 medium pygments 2.7.4 v4.80.5
CVE-2023-29483 medium dnspython 2.0.0 v4.80.5
CVE-2023-32681 medium requests 2.25.1 v4.80.5
CVE-2023-37276 medium aiohttp 3.8.4 v4.80.5
CVE-2023-46136 medium werkzeug 1.0.1 v4.80.5
CVE-2023-47627 medium aiohttp 3.8.4 v4.80.5
CVE-2023-49081 medium aiohttp 3.8.4 v4.80.5
CVE-2023-49082 medium aiohttp 3.8.4 v4.80.5
CVE-2023-6681 medium jwcrypto 0.8 v4.80.5
CVE-2024-1681 medium flask-cors 3.0.9 v4.80.5
CVE-2024-22195 medium jinja2 2.11.3 v4.80.5
CVE-2024-23829 medium aiohttp 3.8.4 v4.80.5
CVE-2024-27305 medium aiosmtpd 1.4.2 v4.80.5
CVE-2024-27306 medium aiohttp 3.8.4 v4.80.5
CVE-2024-28102 medium jwcrypto 0.8 v4.80.5
CVE-2024-34064 medium jinja2 2.11.3 v4.80.5
CVE-2024-34083 medium aiosmtpd 1.4.2 v4.80.5
CVE-2024-35195 medium requests 2.31.0 v4.80.5
CVE-2024-3651 medium idna 2.10 v4.80.5
CVE-2024-42353 medium webob 1.8.7 v4.80.5
CVE-2024-47081 medium requests 2.31.0 v4.80.5
CVE-2024-49766 medium werkzeug 1.0.1 v4.80.5
CVE-2024-49767 medium werkzeug 1.0.1 v4.80.5
CVE-2024-52304 medium aiohttp 3.8.4 v4.80.5
CVE-2024-56326 medium jinja2 2.11.3 v4.80.5
CVE-2024-6839 medium flask-cors 3.0.9 v4.80.5
CVE-2024-6844 medium flask-cors 3.0.9 v4.80.5
CVE-2024-6866 medium flask-cors 3.0.9 v4.80.5
CVE-2025-27516 medium jinja2 2.11.3 v4.80.5
CVE-2025-50181 medium urllib3 1.26.20 v4.80.5
CVE-2025-66221 medium werkzeug 1.0.1 v4.80.5
CVE-2025-68146 medium filelock 3.15.4 v4.80.5
CVE-2025-69227 medium aiohttp 3.8.4 v4.80.5
CVE-2025-69228 medium aiohttp 3.8.4 v4.80.5
CVE-2025-69229 medium aiohttp 3.8.4 v4.80.5
CVE-2026-21860 medium werkzeug 1.0.1 v4.80.5
CVE-2026-22701 medium filelock 3.15.4 v4.80.5
CVE-2026-22815 medium aiohttp 3.8.4 v4.80.5
CVE-2026-25645 medium requests 2.31.0 v4.80.5
CVE-2026-27199 medium werkzeug 1.0.1 v4.80.5
CVE-2026-28684 medium python-dotenv 0.14.0 v4.80.5
CVE-2026-34515 medium aiohttp 3.8.4 v4.80.5
CVE-2026-34516 medium aiohttp 3.8.4 v4.80.5
CVE-2026-34525 medium aiohttp 3.8.4 v4.80.5
CVE-2026-34531 medium flask-httpauth 4.1.0 v4.80.5
CVE-2026-39373 medium jwcrypto 0.8 v4.80.5
CVE-2026-41205 medium mako 1.2.4 v4.80.5
GHSA-27jp-wm6q-gp25 medium sqlparse 0.4.4 v4.80.5
GHSA-pjjw-qhg8-p2p9 medium aiohttp 3.8.4 v4.80.5
CVE-2023-23934 low werkzeug 1.0.1 v4.80.5
CVE-2024-34062 low tqdm 4.64.0 v4.80.5
CVE-2024-9506 low vue 2.6.14 v4.80.5
CVE-2025-53643 low aiohttp 3.8.4 v4.80.5
CVE-2025-69224 low aiohttp 3.8.4 v4.80.5
CVE-2025-69225 low aiohttp 3.8.4 v4.80.5
CVE-2025-69226 low aiohttp 3.8.4 v4.80.5
CVE-2025-69230 low aiohttp 3.8.4 v4.80.5
CVE-2026-27205 low flask 1.1.2 v4.80.5
CVE-2026-34513 low aiohttp 3.8.4 v4.80.5
CVE-2026-34514 low aiohttp 3.8.4 v4.80.5
CVE-2026-34517 low aiohttp 3.8.4 v4.80.5
CVE-2026-34518 low aiohttp 3.8.4 v4.80.5
CVE-2026-34519 low aiohttp 3.8.4 v4.80.5
CVE-2026-34520 low aiohttp 3.8.4 v4.80.5
CVE-2026-4539 low pygments 2.7.4 v4.80.5
CVE-2022-29361 unknown werkzeug 1.0.1 v4.80.5
CVE-2022-42969 unknown py 1.11.0 v4.80.5

Showing 84 of 116

Beta — feedback welcome: [email protected]