Security Deep Dive
Damselfly
Security posture and CVE patch evidence from tracked releases.
1 open KEV CVE affects 4.5.3.
KEV-listed CVEs are confirmed exploited in the wild — patch urgently.
— Signed
— SLSA
✓ SBOM
✗ Security policy
Unknown cadence
Active maintainer
Trust Signals — 2 of 9 Present
Evidence already collected from releases and repository metadata.
2/9
Present
Signed releases
Unknown
Latest release artifact signature
Latest release
—
SLSA provenance
Unknown
Attestation predicate level
Latest release
—
SBOM published
Present
GitHub SBOM API
Latest release
Last verified: 28d ago
SECURITY.md
Absent
GitHub repository metadata
Repository policy
Checked: 18d ago
Release cadence
Unknown
12-release median
Release history
Latest release: 4mo ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: 23d ago
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 4mo ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 4mo ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 4mo ago
4.2/10
Security Score
Dependency Exposure
135 transitive dependency
CVEs found in the latest SBOM.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
23d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.50 / 2.5
No open CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
-1.50 / 10.0
Risk 77.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
2.0
25%
direct cves: clear
cve scan: available
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
2.3
10%
supply chain risk: 77.0
transitive cves: 0c/31h
Provenance trust
provenance trust
5.0
40%
scorecard score: estimated
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 23d
Operational risk
operational risk
8.5
10%
kev exposure: detected
epss max: none
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 77.0/100
0
Transitive critical CVEs
1
KEV-transitive CVEs
100%
Dependency freshness
OpenSSF Badge
OpenSSF none
Badge indicates adherence to open-source best practices.
1 open CVE against Damselfly
Sorted by KEV-listed first, then longest exposure.| CVE | Severity | CVSS | EPSS | Days open | KEV | Status |
|---|---|---|---|---|---|---|
| CVE-2023-5217 | HIGH | 8.8 | 89%ile | 976d | KEV | Affects vLATEST |
Dependency Vulnerabilities
87 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
0
High
31
Medium
82
Low
22
Unknown
0
1 dependency vulnerabilities are in KEV.
CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.
High
31
Medium
82
Low
22
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2019-14262 | high | — | MetadataExtractor | 0 | — |
| CVE-2023-33170 | high | — | Microsoft.AspNetCore.Identity | 0 | — |
| CVE-2023-5217 | high | KEV | electron | 20.0.0 | — |
| CVE-2024-27929 | high | — | SixLabors.ImageSharp | 0 | — |
| CVE-2024-41131 | high | — | SixLabors.ImageSharp | 0 | — |
| CVE-2025-27598 | high | — | SixLabors.ImageSharp | 0 | — |
| CVE-2025-53015 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-53101 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-55004 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-55154 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-55298 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-57803 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-66628 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-24481 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-24485 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25794 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25965 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25967 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25968 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25985 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25989 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28494 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28691 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28693 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30929 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33901 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33908 | high | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-34769 | high | — | electron | 20.0.0 | — |
| CVE-2026-34770 | high | — | electron | 20.0.0 | — |
| CVE-2026-34771 | high | — | electron | 20.0.0 | — |
| CVE-2026-34774 | high | — | electron | 20.0.0 | — |
| CVE-2022-36077 | medium | — | electron | 20.0.0 | — |
| CVE-2023-1289 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2023-29198 | medium | — | electron | 20.0.0 | — |
| CVE-2023-39956 | medium | — | electron | 20.0.0 | — |
| CVE-2023-44402 | medium | — | electron | 20.0.0 | — |
| CVE-2024-32035 | medium | — | SixLabors.ImageSharp | 0 | — |
| CVE-2024-32036 | medium | — | SixLabors.ImageSharp | 0 | — |
| CVE-2024-41132 | medium | — | SixLabors.ImageSharp | 0 | — |
| CVE-2024-46993 | medium | — | electron | 20.0.0 | — |
| CVE-2025-54575 | medium | — | SixLabors.ImageSharp | 0 | — |
| CVE-2025-55160 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-55305 | medium | — | electron | 20.0.0 | — |
| CVE-2025-62171 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-68618 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-68950 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-22770 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-23874 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-23952 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-24484 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25576 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25637 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25638 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25795 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25796 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25797 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25798 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25799 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25897 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25898 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25966 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25969 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25970 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25971 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25982 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25983 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25986 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25987 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25988 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-26066 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-26283 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-26284 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-26983 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-27798 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-27799 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28493 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28686 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28687 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28688 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28689 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28690 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-28692 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30883 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30931 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30935 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30936 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-30937 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-31853 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-32636 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33535 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33536 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33899 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33900 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33902 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-33905 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-34238 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-34765 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34767 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34772 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34773 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34775 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34776 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34777 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34778 | medium | — | electron | 20.0.0 | — |
| CVE-2026-34779 | medium | — | electron | 20.0.0 | — |
| CVE-2026-40169 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-40183 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-40310 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-40311 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-40312 | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-41319 | medium | — | MailKit | 0 | — |
| GHSA-98cp-rj9f-6v5g | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-qp59-x883-77qv | medium | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-53014 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-53019 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-55212 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2025-68469 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-25984 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| CVE-2026-34766 | low | — | electron | 20.0.0 | — |
| CVE-2026-34768 | low | — | electron | 20.0.0 | — |
| CVE-2026-34781 | low | — | electron | 20.0.0 | — |
| GHSA-2gq3-ww97-wfjm | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-3j4x-rwrx-xxj9 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-3q5f-gmjc-38r8 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-6p22-q7w5-33pg | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-8vfj-q2cp-5m5j | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-9r56-3gjq-hqf7 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-gq5v-qf8q-fp77 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-pmpg-6pww-fg6q | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-q8h3-jv9v-57qx | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-w54j-7wpm-crhj | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-wfx3-6g53-9fgc | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-wgxp-q8xq-wpp9 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-x928-4434-crqj | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
| GHSA-xpg8-7m6m-jf56 | low | — | Magick.NET-Q16-AnyCPU | 0 | — |
Showing 135 of 135