Skip to content
Tools / chroma / Security

Security Deep Dive

chroma

Security posture and CVE patch evidence from tracked releases.

Back to Tool

12 critical dependency CVEs affects 1.5.9.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 2d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
2d median over recent releases Release history
Latest release: 29d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 1d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 29d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 29d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 29d ago
3.8/10 Security Score
5.1/10 Scorecard
Dependency Exposure 235 transitive dependency CVEs found in the latest SBOM. 12 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

Up to date

scorecard

2.04 / 4.0

Score 5.1/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 12c/84h

Provenance trust

provenance trust

5.1

40%

scorecard score: 5.1 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 0d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
12 Transitive critical CVEs
0 KEV-transitive CVEs
46% Dependency freshness

Scorecard

Scorecard 5.1/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 9 Found 28/30 approved changesets -- score normalized to 9
Maintained 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow 10 no dangerous workflow patterns detected
Security-Policy 0 security policy file not detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Binary-Artifacts 10 no binaries found in the repo
License 10 license file detected
Fuzzing 0 project is not fuzzed
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases 0 Project has not signed or included provenance with any releases.
Packaging 10 packaging workflow detected
SAST 0 SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

4487 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

12

High

84

Medium

91

Low

26

Unknown

22

Still affecting latest (166) All (235)
Critical 12 High 84 Medium 91 Low 26 Unknown 22
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2015-7337 critical notebook
CVE-2019-6446 critical numpy
CVE-2021-41945 critical httpx
CVE-2024-45337 critical golang.org/x/crypto 0.25.0
CVE-2025-7783 critical form-data 4.0.0
CVE-2026-25896 critical fast-xml-parser 4.4.1
CVE-2026-33186 critical google.golang.org/grpc 1.65.0
CVE-2026-33816 critical github.com/jackc/pgx/v5 5.5.4
CVE-2026-33863 critical convict 6.2.4
CVE-2026-33864 critical convict 6.2.4
CVE-2026-33937 critical handlebars 4.7.8
CVE-2026-41242 critical protobufjs 6.11.4
CVE-2014-1858 high numpy
CVE-2014-1859 high numpy
CVE-2016-10075 high tqdm
CVE-2017-12852 high numpy
CVE-2018-8768 high notebook
CVE-2019-18874 high psutil
CVE-2020-7694 high uvicorn
CVE-2020-7695 high uvicorn
CVE-2021-32798 high notebook
CVE-2021-41495 high numpy
CVE-2022-24758 high notebook
CVE-2024-12905 high tar-fs 3.0.6
CVE-2024-21538 high cross-spawn 7.0.3
CVE-2024-22421 high notebook
CVE-2024-24762 high fastapi 0.95.2
CVE-2024-25621 high github.com/containerd/containerd 1.7.12
CVE-2024-27454 high orjson 3.9.12
CVE-2024-43805 high notebook
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.20.2
CVE-2024-47068 high rollup 4.18.0
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2025-22868 high golang.org/x/oauth2 0.20.0
CVE-2025-22869 high golang.org/x/crypto 0.25.0
CVE-2025-27152 high axios 0.26.1
CVE-2025-4565 high protobuf 5.28.0
CVE-2025-48387 high tar-fs 3.0.6
CVE-2025-58754 high axios 1.9.0
CVE-2025-59343 high tar-fs 3.0.6
CVE-2025-64756 high glob 10.4.5
CVE-2025-65945 high jws 4.0.0
CVE-2025-67221 high orjson 3.9.12
CVE-2025-6985 high langchain-text-splitters
CVE-2026-0994 high protobuf 5.28.0
CVE-2026-1526 high undici 5.29.0
CVE-2026-2229 high undici 5.29.0
CVE-2026-23745 high tar 7.4.3
CVE-2026-23950 high tar 7.4.3
CVE-2026-24051 high go.opentelemetry.io/otel/sdk 1.28.0
CVE-2026-24842 high tar 7.4.3
CVE-2026-25128 high fast-xml-parser 5.2.5
CVE-2026-25639 high axios 0.26.1
CVE-2026-26278 high fast-xml-parser 4.4.1
CVE-2026-26960 high tar 7.4.3
CVE-2026-26996 high minimatch 5.1.6
CVE-2026-27606 high rollup 4.40.2
CVE-2026-27903 high minimatch 5.1.6
CVE-2026-27904 high minimatch 5.1.6
CVE-2026-29181 high go.opentelemetry.io/otel 1.36.0
CVE-2026-29786 high tar 7.4.3
CVE-2026-31802 high tar 7.4.3
CVE-2026-32141 high flatted 3.3.3
CVE-2026-32274 high black 23.3.0
CVE-2026-33036 high fast-xml-parser 4.4.1
CVE-2026-33228 high flatted 3.3.3
CVE-2026-33671 high picomatch 2.3.1
CVE-2026-33938 high handlebars 4.7.8
CVE-2026-33939 high handlebars 4.7.8
CVE-2026-33940 high handlebars 4.7.8
CVE-2026-33941 high handlebars 4.7.8
CVE-2026-34040 high github.com/docker/docker 25.0.6+incompatible
CVE-2026-35209 high defu 6.1.4
CVE-2026-39883 high go.opentelemetry.io/otel/sdk 1.28.0
CVE-2026-40171 high notebook
CVE-2026-41636 high thrift 0.11.0
CVE-2026-41676 high openssl 0.10.76
CVE-2026-41678 high openssl 0.10.76
CVE-2026-41681 high openssl 0.10.76
CVE-2026-41898 high openssl 0.10.76
CVE-2026-42033 high axios 0.26.1
CVE-2026-42035 high axios 0.26.1
CVE-2026-42043 high axios 0.26.1
CVE-2026-42264 high axios 1.9.0
CVE-2026-42327 high openssl 0.10.76
CVE-2026-42557 high notebook
CVE-2026-43870 high thrift 0.11.0
CVE-2026-4800 high lodash 4.17.21
CVE-2026-4867 high path-to-regexp 0.1.7
CVE-2026-6321 high fast-uri 3.0.6
CVE-2026-6322 high fast-uri 3.0.6
GHSA-82j2-j2ch-gfr8 high rustls-webpki 0.103.9
GHSA-gfxp-f68g-8x78 high libyml 0.0.5
GHSA-h25m-26qc-wcjf high next 16.0.10
GHSA-q4gf-8mx6-v5v3 high next 16.0.10
CVE-2015-6938 medium notebook
CVE-2018-19351 medium notebook
CVE-2018-19352 medium notebook
CVE-2018-21030 medium notebook
CVE-2019-10255 medium notebook
CVE-2019-10856 medium notebook
CVE-2019-9644 medium notebook
CVE-2021-32797 medium notebook
CVE-2021-33430 medium numpy
CVE-2021-34141 medium numpy
CVE-2021-41496 medium numpy
CVE-2022-29238 medium notebook
CVE-2023-36464 medium pypdf
CVE-2023-45857 medium axios 0.26.1
CVE-2023-46250 medium pypdf
CVE-2023-49092 medium rsa 0.9.10
CVE-2024-21503 medium black 23.3.0
CVE-2024-22420 medium notebook
CVE-2024-3772 medium pydantic 2.0
CVE-2024-40635 medium github.com/containerd/containerd 1.7.12
CVE-2024-4067 medium micromatch 4.0.7
CVE-2025-13465 medium lodash 4.17.21
CVE-2025-15284 medium qs 6.11.0
CVE-2025-22870 medium golang.org/x/net 0.27.0
CVE-2025-22872 medium golang.org/x/net 0.27.0
CVE-2025-27789 medium @babel/helpers 7.24.7
CVE-2025-47914 medium golang.org/x/crypto 0.25.0
CVE-2025-55197 medium pypdf
CVE-2025-58181 medium golang.org/x/crypto 0.25.0
CVE-2025-59471 medium next 16.0.10
CVE-2025-59472 medium next 16.0.10
CVE-2025-62707 medium pypdf
CVE-2025-62708 medium pypdf
CVE-2025-62718 medium axios 0.26.1
CVE-2025-64329 medium github.com/containerd/containerd 1.7.12
CVE-2025-64718 medium js-yaml 4.1.0
CVE-2025-66019 medium pypdf
CVE-2025-69873 medium ajv 8.17.1
CVE-2025-71176 medium pytest
CVE-2026-1525 medium undici 5.29.0
CVE-2026-1527 medium undici 5.29.0
CVE-2026-22036 medium undici 5.29.0
CVE-2026-24688 medium pypdf
CVE-2026-27024 medium pypdf
CVE-2026-27025 medium pypdf
CVE-2026-27026 medium pypdf
CVE-2026-27888 medium pypdf
CVE-2026-27978 medium next 16.0.10
CVE-2026-27979 medium next 16.0.10
CVE-2026-27980 medium next 16.0.10
CVE-2026-28351 medium pypdf
CVE-2026-28804 medium pypdf
CVE-2026-29057 medium next 16.0.10
CVE-2026-2950 medium lodash 4.17.21
CVE-2026-31826 medium pypdf
CVE-2026-33123 medium pypdf
CVE-2026-33349 medium fast-xml-parser 4.4.1
CVE-2026-33532 medium yaml 2.7.1
CVE-2026-33672 medium picomatch 2.3.1
CVE-2026-33699 medium pypdf
CVE-2026-33750 medium brace-expansion 2.0.1
CVE-2026-33916 medium handlebars 4.7.8
CVE-2026-33997 medium github.com/docker/docker 25.0.6+incompatible
CVE-2026-34450 medium anthropic
CVE-2026-34452 medium anthropic
CVE-2026-40175 medium axios 0.26.1
CVE-2026-40260 medium pypdf
CVE-2026-41168 medium pypdf
CVE-2026-41305 medium postcss 8.5.3
CVE-2026-41312 medium pypdf
CVE-2026-41313 medium pypdf
CVE-2026-41314 medium pypdf
CVE-2026-41481 medium langchain-text-splitters
CVE-2026-41650 medium fast-xml-parser 4.4.1
CVE-2026-42034 medium axios 0.26.1
CVE-2026-42036 medium axios 0.26.1
CVE-2026-42037 medium axios 1.9.0
CVE-2026-42038 medium axios 0.26.1
CVE-2026-42039 medium axios 0.26.1
CVE-2026-42041 medium axios 0.26.1
CVE-2026-42042 medium axios 0.26.1
CVE-2026-42044 medium axios 1.9.0
CVE-2026-43868 medium thrift 0.17.0
CVE-2026-44662 medium openssl 0.10.76
GHSA-67mh-4wv8-2f99 medium esbuild 0.19.12
GHSA-7rx3-28cr-v5wh medium handlebars 4.7.8
GHSA-hhw4-xg65-fp2x medium serde_yml 0.0.12
GHSA-pwjx-qhcg-rvj4 medium rustls-webpki 0.103.9
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.6
GHSA-xmrv-pmrh-hhx2 medium github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream 1.6.7
GHSA-xmrv-pmrh-hhx2 medium github.com/aws/aws-sdk-go-v2/service/s3 1.71.0
CVE-2020-26215 low notebook
CVE-2024-34062 low tqdm 4.65.0
CVE-2024-43796 low express 4.19.2
CVE-2024-43799 low send 0.18.0
CVE-2024-43800 low serve-static 1.15.0
CVE-2024-47764 low cookie 0.6.0
CVE-2024-53384 low tsup 8.0.1
CVE-2025-54410 low github.com/docker/docker 25.0.6+incompatible
CVE-2025-54798 low tmp 0.2.3
CVE-2025-5889 low brace-expansion 2.0.1
CVE-2026-22690 low pypdf
CVE-2026-22691 low pypdf
CVE-2026-2391 low qs 6.11.0
CVE-2026-24001 low diff 4.0.2
CVE-2026-27628 low pypdf
CVE-2026-27942 low fast-xml-parser 4.4.1
CVE-2026-27977 low next 16.0.10
CVE-2026-41677 low openssl 0.10.76
CVE-2026-41889 low github.com/jackc/pgx/v5 5.5.4
CVE-2026-42040 low axios 0.26.1
GHSA-442j-39wm-28r2 low handlebars 4.7.8
GHSA-6475-r3vj-m8vf low @smithy/config-resolver 4.1.2
GHSA-965h-392x-2mh5 low rustls-webpki 0.103.9
GHSA-cq8v-f236-94qc low rand 0.10.0
GHSA-rhfx-m35p-ff5j low lru 0.12.5
GHSA-xgp8-3hg3-c2mh low rustls-webpki 0.103.9
CVE-2020-13091 unknown pandas
CVE-2024-45338 unknown golang.org/x/net 0.27.0
CVE-2025-47911 unknown golang.org/x/net 0.27.0
CVE-2025-47913 unknown golang.org/x/crypto 0.25.0
CVE-2025-58190 unknown golang.org/x/net 0.27.0
CVE-2026-33814 unknown golang.org/x/net 0.27.0
CVE-2026-33815 unknown github.com/jackc/pgx/v5 5.5.4
RUSTSEC-2024-0384 unknown instant 0.1.13
RUSTSEC-2024-0388 unknown derivative 2.2.0,< 3.0.0
RUSTSEC-2024-0436 unknown paste 1.0.15
RUSTSEC-2025-0012 unknown backoff 0.4.0
RUSTSEC-2025-0067 unknown libyml 0.0.5
RUSTSEC-2025-0068 unknown serde_yml 0.0.12
RUSTSEC-2025-0119 unknown number_prefix 0.4.0
RUSTSEC-2025-0134 unknown rustls-pemfile 1.0.4
RUSTSEC-2025-0141 unknown bincode 1.3.3
RUSTSEC-2026-0002 unknown lru 0.12.5
RUSTSEC-2026-0049 unknown rustls-webpki 0.103.9
RUSTSEC-2026-0097 unknown rand 0.10.0
RUSTSEC-2026-0098 unknown rustls-webpki 0.103.9
RUSTSEC-2026-0099 unknown rustls-webpki 0.103.9
RUSTSEC-2026-0104 unknown rustls-webpki 0.103.9

Showing 235 of 235

Beta — feedback welcome: [email protected]