Skip to content
Tools / cmms / Security

Security Deep Dive

cmms

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v1.6.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

— Signed — SLSA ✓ SBOM ✗ Security policy Quarterly cadence · 55d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: quarterly Present
55d median over recent releases Release history
Latest release: 1mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 8d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 1mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 1mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 1mo ago
3.8/10 Security Score
Dependency Exposure 281 transitive dependency CVEs found in the latest SBOM. 50 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

8d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 50c/129h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 50c/129h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 8d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
50 Transitive critical CVEs
1 KEV-transitive CVEs
57% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

4176 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

50

High

129

Medium

79

Low

23

Unknown

0

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (178) All (281)
Critical 50 High 129 Medium 79 Low 23
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2017-15095 critical com.fasterxml.jackson.core:jackson-databind
CVE-2017-17485 critical com.fasterxml.jackson.core:jackson-databind
CVE-2017-7525 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-11307 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-14718 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-14719 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-14720 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-14721 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-19360 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-19361 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-19362 critical com.fasterxml.jackson.core:jackson-databind
CVE-2018-7489 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-14379 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-14540 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-16335 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-16942 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-16943 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-17267 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-17531 critical com.fasterxml.jackson.core:jackson-databind
CVE-2019-20330 critical com.fasterxml.jackson.core:jackson-databind
CVE-2020-8840 critical com.fasterxml.jackson.core:jackson-databind
CVE-2020-9546 critical com.fasterxml.jackson.core:jackson-databind
CVE-2020-9547 critical com.fasterxml.jackson.core:jackson-databind
CVE-2020-9548 critical com.fasterxml.jackson.core:jackson-databind
CVE-2021-43466 critical org.thymeleaf:thymeleaf-spring5 3.0.11.RELEASE
CVE-2022-22965 critical KEV org.springframework.boot:spring-boot-starter-web
CVE-2022-22978 critical org.springframework.security:spring-security-web
CVE-2022-37601 critical loader-utils 2.0.2
CVE-2023-28154 critical webpack 5.73.0
CVE-2023-34034 critical org.springframework.security:spring-security-config
CVE-2023-36665 critical protobufjs 6.11.3
CVE-2023-46233 critical crypto-js 4.1.1
CVE-2024-1597 critical org.postgresql:postgresql
CVE-2024-38821 critical org.springframework.security:spring-security-web
CVE-2025-6545 critical pbkdf2 3.1.2
CVE-2025-6547 critical pbkdf2 3.1.2
CVE-2025-7783 critical form-data 3.0.1
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
CVE-2026-22732 critical org.springframework.security:spring-security-web
CVE-2026-27212 critical swiper 8.2.2
CVE-2026-40477 critical org.thymeleaf:thymeleaf-spring5 3.0.11.RELEASE
CVE-2026-40477 critical org.thymeleaf:thymeleaf 3.0.11.RELEASE
CVE-2026-40478 critical org.thymeleaf:thymeleaf-spring5 3.0.11.RELEASE
CVE-2026-40478 critical org.thymeleaf:thymeleaf 3.0.11.RELEASE
CVE-2026-40976 critical org.springframework.boot:spring-boot
CVE-2026-41242 critical protobufjs 6.11.3
CVE-2026-41901 critical org.thymeleaf:thymeleaf-spring5 3.0.11.RELEASE
CVE-2026-41901 critical org.thymeleaf:thymeleaf 3.0.11.RELEASE
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.5
CVE-2012-1618 high org.postgresql:postgresql
CVE-2017-8028 high org.springframework.ldap:spring-ldap-core
CVE-2018-12022 high com.fasterxml.jackson.core:jackson-databind
CVE-2018-12023 high com.fasterxml.jackson.core:jackson-databind
CVE-2018-15801 high org.springframework.security:spring-security-oauth2-jose
CVE-2018-5968 high com.fasterxml.jackson.core:jackson-databind
CVE-2019-12086 high com.fasterxml.jackson.core:jackson-databind
CVE-2019-14439 high com.fasterxml.jackson.core:jackson-databind
CVE-2019-14892 high com.fasterxml.jackson.core:jackson-databind
CVE-2019-14893 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-10650 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-10672 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-10673 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-10968 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-10969 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-11111 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-11112 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-11113 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-11619 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-11620 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-13692 high org.postgresql:postgresql
CVE-2020-14060 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-14061 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-14062 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-14195 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-24616 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-24750 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-25649 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-35490 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-35491 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-35728 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36179 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36180 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36181 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36182 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36183 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36184 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36185 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36186 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36187 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36188 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36189 high com.fasterxml.jackson.core:jackson-databind
CVE-2020-36518 high com.fasterxml.jackson.core:jackson-databind
CVE-2021-0341 high com.squareup.okhttp3:okhttp
CVE-2021-20190 high com.fasterxml.jackson.core:jackson-databind
CVE-2021-22112 high org.springframework.security:spring-security-web
CVE-2021-3803 high nth-check 1.0.2
CVE-2021-46877 high com.fasterxml.jackson.core:jackson-databind
CVE-2022-0235 high node-fetch 1.7.3
CVE-2022-21724 high org.postgresql:postgresql
CVE-2022-23539 high jsonwebtoken 8.5.1
CVE-2022-25858 high terser 5.14.0
CVE-2022-25883 high semver 7.3.7
CVE-2022-25927 high ua-parser-js 0.7.32
CVE-2022-27772 high org.springframework.boot:spring-boot
CVE-2022-31197 high org.postgresql:postgresql
CVE-2022-3517 high minimatch 3.0.4
CVE-2022-37599 high loader-utils 2.0.2
CVE-2022-37603 high loader-utils 2.0.2
CVE-2022-42003 high com.fasterxml.jackson.core:jackson-databind
CVE-2022-42004 high com.fasterxml.jackson.core:jackson-databind
CVE-2022-46175 high json5 1.0.1
CVE-2023-2251 high yaml 2.1.1
CVE-2023-30533 high xlsx 0.18.5
CVE-2023-34035 high org.springframework.security:spring-security-config
CVE-2024-21536 high http-proxy-middleware 2.0.6
CVE-2024-21538 high cross-spawn 7.0.3
CVE-2024-22363 high xlsx 0.18.5
CVE-2024-29180 high webpack-dev-middleware 5.3.3
CVE-2024-37890 high ws 7.5.8
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.20.0
CVE-2024-47068 high rollup 2.75.5
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2025-12816 high node-forge 1.3.1
CVE-2025-22235 high org.springframework.boot:spring-boot
CVE-2025-27152 high axios 0.27.2
CVE-2025-49146 high org.postgresql:postgresql
CVE-2025-59952 high io.minio:minio 8.5.17
CVE-2025-65945 high jws 3.2.2
CVE-2025-66031 high node-forge 1.3.1
CVE-2026-1526 high undici 7.18.2
CVE-2026-1528 high undici 7.18.2
CVE-2026-2229 high undici 7.18.2
CVE-2026-22731 high org.springframework.boot:spring-boot-starter-actuator
CVE-2026-22733 high org.springframework.boot:spring-boot-starter-actuator
CVE-2026-22753 high org.springframework.security:spring-security-config
CVE-2026-22754 high org.springframework.security:spring-security-config
CVE-2026-25639 high axios 0.27.2
CVE-2026-26960 high tar 7.5.7
CVE-2026-26996 high minimatch 3.1.2
CVE-2026-27601 high underscore 1.13.7
CVE-2026-27606 high rollup 2.75.5
CVE-2026-27903 high minimatch 3.1.2
CVE-2026-27904 high minimatch 3.1.2
CVE-2026-29074 high svgo 2.8.0
CVE-2026-29786 high tar 7.5.7
CVE-2026-31802 high tar 7.5.7
CVE-2026-32141 high flatted 3.2.5
CVE-2026-33036 high fast-xml-parser 5.3.6
CVE-2026-33228 high flatted 3.2.5
CVE-2026-33671 high picomatch 2.3.1
CVE-2026-33891 high node-forge 1.3.1
CVE-2026-33894 high node-forge 1.3.1
CVE-2026-33895 high node-forge 1.3.1
CVE-2026-33896 high node-forge 1.3.1
CVE-2026-34601 high @xmldom/xmldom 0.8.11
CVE-2026-40973 high org.springframework.boot:spring-boot
CVE-2026-41672 high @xmldom/xmldom 0.8.11
CVE-2026-41673 high @xmldom/xmldom 0.8.11
CVE-2026-41674 high @xmldom/xmldom 0.8.11
CVE-2026-41675 high @xmldom/xmldom 0.8.11
CVE-2026-42033 high axios 0.27.2
CVE-2026-42035 high axios 0.27.2
CVE-2026-42043 high axios 0.27.2
CVE-2026-42198 high org.postgresql:postgresql
CVE-2026-42264 high axios 1.13.5
CVE-2026-44665 high fast-xml-builder 1.1.5
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.29.0
CVE-2026-4800 high lodash-es 4.17.21
CVE-2026-4800 high lodash 4.17.21
CVE-2026-4867 high path-to-regexp 0.1.7
CVE-2026-4926 high path-to-regexp 8.3.0
CVE-2026-5598 high org.bouncycastle:bcprov-jdk18on 1.77
CVE-2026-6321 high fast-uri 3.1.0
CVE-2026-6322 high fast-uri 3.1.0
GHSA-36jr-mh4h-2g58 high d3-color 1.4.1
GHSA-5c6j-r48x-rmvq high serialize-javascript 4.0.0
GHSA-q4gf-8mx6-v5v3 high next 16.1.6
CVE-2016-2402 medium com.squareup.okhttp3:okhttp
CVE-2018-1196 medium org.springframework.boot:spring-boot
CVE-2019-12384 medium com.fasterxml.jackson.core:jackson-databind
CVE-2019-12814 medium com.fasterxml.jackson.core:jackson-databind
CVE-2021-3163 medium quill 1.3.7
CVE-2022-23540 medium jsonwebtoken 8.5.1
CVE-2022-23541 medium jsonwebtoken 8.5.1
CVE-2022-41946 medium org.postgresql:postgresql
CVE-2023-26115 medium word-wrap 1.2.3
CVE-2023-26136 medium tough-cookie 4.0.0
CVE-2023-26159 medium follow-redirects 1.15.1
CVE-2023-26920 medium fast-xml-parser 3.19.0
CVE-2023-34042 medium org.springframework.security:spring-security-config
CVE-2023-44270 medium postcss 7.0.39
CVE-2023-45857 medium axios 0.27.2
CVE-2024-11023 medium firebase 9.8.2
CVE-2024-11831 medium serialize-javascript 6.0.0
CVE-2024-28849 medium follow-redirects 1.15.1
CVE-2024-29041 medium express 4.18.1
CVE-2024-29857 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2024-30171 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2024-30172 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2024-33883 medium ejs 3.1.8
CVE-2024-34447 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2024-37168 medium @grpc/grpc-js 1.6.7
CVE-2024-38829 medium org.springframework.ldap:spring-ldap-core
CVE-2024-43788 medium webpack 5.73.0
CVE-2024-53382 medium prismjs 1.28.0
CVE-2025-13465 medium lodash-es 4.17.21
CVE-2025-13465 medium lodash 4.17.21
CVE-2025-15284 medium qs 6.10.3
CVE-2025-27789 medium @babel/runtime-corejs3 7.18.3
CVE-2025-27789 medium @babel/helpers 7.18.2
CVE-2025-30359 medium webpack-dev-server 4.9.1
CVE-2025-30360 medium webpack-dev-server 4.9.1
CVE-2025-32996 medium http-proxy-middleware 2.0.6
CVE-2025-32997 medium http-proxy-middleware 2.0.6
CVE-2025-62718 medium axios 0.27.2
CVE-2025-64718 medium js-yaml 3.14.1
CVE-2025-66030 medium node-forge 1.3.1
CVE-2025-68470 medium react-router 6.3.0
CVE-2025-69873 medium ajv 8.11.0
CVE-2025-8885 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2026-0636 medium org.bouncycastle:bcprov-jdk18on 1.77
CVE-2026-1525 medium undici 7.18.2
CVE-2026-1527 medium undici 7.18.2
CVE-2026-22747 medium org.springframework.security:spring-security-web
CVE-2026-22748 medium org.springframework.security:spring-security-oauth2-jose
CVE-2026-2581 medium undici 7.18.2
CVE-2026-2739 medium bn.js 5.2.1
CVE-2026-27978 medium next 16.1.6
CVE-2026-27979 medium next 16.1.6
CVE-2026-27980 medium next 16.1.6
CVE-2026-29057 medium next 16.1.6
CVE-2026-2950 medium lodash-es 4.17.21
CVE-2026-2950 medium lodash 4.17.21
CVE-2026-33349 medium fast-xml-parser 5.3.6
CVE-2026-33532 medium yaml 2.1.1
CVE-2026-33672 medium picomatch 2.3.1
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 4.0.0
CVE-2026-40175 medium axios 0.27.2
CVE-2026-40299 medium next-intl 4.8.3
CVE-2026-41305 medium postcss 8.5.6
CVE-2026-41650 medium fast-xml-parser 3.19.0
CVE-2026-41691 medium i18next-http-backend 3.0.2
CVE-2026-42034 medium axios 0.27.2
CVE-2026-42036 medium axios 0.27.2
CVE-2026-42037 medium axios 1.13.5
CVE-2026-42038 medium axios 0.27.2
CVE-2026-42039 medium axios 0.27.2
CVE-2026-42041 medium axios 0.27.2
CVE-2026-42042 medium axios 0.27.2
CVE-2026-42044 medium axios 1.13.5
CVE-2026-44664 medium fast-xml-builder 1.1.5
CVE-2026-4923 medium path-to-regexp 8.3.0
GHSA-4c35-wcg5-mm9h medium next-intl 4.8.3
GHSA-673j-qm5f-xpv8 medium org.postgresql:postgresql
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.1
CVE-2022-26520 low org.postgresql:postgresql
CVE-2024-42459 low elliptic 6.5.5
CVE-2024-42460 low elliptic 6.5.5
CVE-2024-42461 low elliptic 6.5.5
CVE-2024-43796 low express 4.18.1
CVE-2024-43799 low send 0.18.0
CVE-2024-43800 low serve-static 1.15.0
CVE-2024-47764 low cookie 0.4.2
CVE-2024-48948 low elliptic 6.5.5
CVE-2024-48949 low elliptic 6.5.5
CVE-2025-14505 low elliptic 6.5.5
CVE-2025-54798 low tmp 0.2.1
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2025-68157 low webpack 5.73.0
CVE-2025-68458 low webpack 5.73.0
CVE-2025-7339 low on-headers 1.0.2
CVE-2026-2391 low qs 6.10.3
CVE-2026-24001 low diff 4.0.2
CVE-2026-27942 low fast-xml-parser 5.3.6
CVE-2026-27977 low next 16.1.6
CVE-2026-3449 low @tootallnate/once 1.1.2
CVE-2026-42040 low axios 0.27.2
GHSA-r27j-894h-3w3p low icu-minify 4.8.3

Showing 281 of 281

Beta — feedback welcome: [email protected]