Skip to content
Tools / audiobookshelf / Security

Security Deep Dive

audiobookshelf

Security posture and CVE patch evidence from tracked releases.

Back to Tool

2 critical dependency CVEs affects v2.35.1.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 10d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
10d median over recent releases Release history
Latest release: 6d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 4d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 6d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 6d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 6d ago
3.8/10 Security Score
Pending CVE Patch Speed
Open CVEs Open CVEs detected for latest version.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

4d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

Open CVEs detected

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: open cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 6c/49h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 4d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
2 Transitive critical CVEs
0 KEV-transitive CVEs
44% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

1863 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

2

High

22

Medium

26

Low

16

Unknown

0

Still affecting latest (66) All (127)
Critical 2 High 22 Medium 26 Low 16
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2025-9287 critical cipher-base 1.0.4 v2.35.0
CVE-2025-9288 critical sha.js 2.4.11 v2.35.0
CVE-2024-21536 high http-proxy-middleware 1.3.1 v2.35.0
CVE-2024-29415 high ip 2.0.0 v2.35.0
CVE-2024-4367 high pdfjs-dist 2.7.570 v2.35.0
CVE-2024-45296 high path-to-regexp 0.1.7 v2.35.0
CVE-2024-45590 high body-parser 1.20.1 v2.35.0
CVE-2024-52798 high path-to-regexp 0.1.7 v2.35.0
CVE-2025-27152 high axios 0.27.2 v2.35.0
CVE-2025-48387 high tar-fs 2.1.2 v2.35.0
CVE-2025-57820 high devalue 2.0.1 v2.35.0
CVE-2025-59343 high tar-fs 2.1.2 v2.35.0
CVE-2026-25639 high axios 0.27.2 v2.35.0
CVE-2026-29074 high svgo 2.8.0 v2.35.0
CVE-2026-33671 high picomatch 2.3.1 v2.35.0
CVE-2026-34601 high @xmldom/xmldom 0.7.13 v2.35.0
CVE-2026-41672 high @xmldom/xmldom 0.7.13 v2.35.0
CVE-2026-41673 high @xmldom/xmldom 0.7.13 v2.35.0
CVE-2026-41674 high @xmldom/xmldom 0.7.13 v2.35.0
CVE-2026-41675 high @xmldom/xmldom 0.7.13 v2.35.0
CVE-2026-42033 high axios 0.27.2 v2.35.0
CVE-2026-42035 high axios 0.27.2 v2.35.0
CVE-2026-42043 high axios 0.27.2 v2.35.0
CVE-2026-4867 high path-to-regexp 0.1.7 v2.35.0
CVE-2023-45857 medium axios 0.27.2 v2.35.0
CVE-2024-28849 medium follow-redirects 1.15.5 v2.35.0
CVE-2024-34341 medium trix 1.3.1 v2.35.0
CVE-2024-34343 medium nuxt 2.18.1 v2.35.0
CVE-2024-43368 medium trix 1.3.1 v2.35.0
CVE-2024-53847 medium trix 1.3.1 v2.35.0
CVE-2024-6783 medium vue-template-compiler 2.7.16 v2.35.0
CVE-2025-21610 medium trix 1.3.1 v2.35.0
CVE-2025-32996 medium http-proxy-middleware 1.3.1 v2.35.0
CVE-2025-32997 medium http-proxy-middleware 1.3.1 v2.35.0
CVE-2025-62718 medium axios 0.27.2 v2.35.0
CVE-2026-27837 medium dottie 2.0.6 v2.35.0
CVE-2026-30226 medium devalue 2.0.1 v2.35.0
CVE-2026-33532 medium yaml 1.10.2 v2.35.0
CVE-2026-33672 medium picomatch 2.3.1 v2.35.0
CVE-2026-33750 medium brace-expansion 1.1.11 v2.35.0
CVE-2026-40175 medium axios 0.27.2 v2.35.0
CVE-2026-42034 medium axios 0.27.2 v2.35.0
CVE-2026-42036 medium axios 0.27.2 v2.35.0
CVE-2026-42038 medium axios 0.27.2 v2.35.0
CVE-2026-42039 medium axios 0.27.2 v2.35.0
CVE-2026-42041 medium axios 0.27.2 v2.35.0
CVE-2026-42042 medium axios 0.27.2 v2.35.0
GHSA-g9jg-w8vm-g96v medium trix 1.3.1 v2.35.0
GHSA-qmpg-8xg6-ph5q medium trix 1.3.1 v2.35.0
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.5 v2.35.0
CVE-2023-42282 low ip 2.0.0 v2.35.0
CVE-2024-27088 low es5-ext 0.10.62 v2.35.0
CVE-2024-43799 low send 0.18.0 v2.35.0
CVE-2024-43800 low serve-static 1.15.0 v2.35.0
CVE-2024-47764 low cookie 0.5.0 v2.35.0
CVE-2024-9506 low vue 2.7.16 v2.35.0
CVE-2025-46812 low trix 1.3.1 v2.35.0
CVE-2025-54798 low tmp 0.0.33 v2.35.0
CVE-2025-5889 low brace-expansion 1.1.11 v2.35.0
CVE-2025-7339 low on-headers 1.0.2 v2.35.0
CVE-2026-3449 low @tootallnate/once 1.1.2 v2.35.0
CVE-2026-42040 low axios 0.27.2 v2.35.0
GHSA-33hq-fvwr-56pm low devalue 2.0.1 v2.35.0
GHSA-53p3-c7vp-4mcc low trix 1.3.1 v2.35.0
GHSA-8qm3-746x-r74r low devalue 2.0.1 v2.35.0
GHSA-mwv9-gp5h-frr4 low devalue 2.0.1 v2.35.0

Showing 66 of 127

Beta — feedback welcome: [email protected]