Skip to content
Tools / daytona / Security

Security Deep Dive

daytona

Security posture and CVE patch evidence from tracked releases.

Back to Tool

11 critical dependency CVEs affects v0.184.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

20 versions tracked
Version Published C H M L KEV Notes
v0.184.0 2026-06-03
Latest
v0.183.0 2026-05-29
v0.182.0 2026-05-26
v0.181.0 2026-05-25
v0.180.0 2026-05-24
v0.179.0 2026-05-21
v0.178.0 2026-05-20
v0.177.0 2026-05-15
v0.176.0 2026-05-14
v0.175.0 2026-05-12
v0.174.0 2026-05-11
Patches CVE-2026-42208
v0.173.0 2026-05-06 1 KEV 1
v0.172.0 2026-05-05 1 KEV 1
v0.171.0 2026-04-30 1 KEV 1
v0.170.0 2026-04-27 1 KEV 1
v0.169.0 2026-04-23 1 KEV 1
v0.168.0 2026-04-21 1 KEV 1
v0.167.0 2026-04-16 1 KEV 1
v0.166.0 2026-04-15 1 KEV 1
v0.165.0 2026-04-14 1 KEV 1
— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 1d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
1d median over recent releases Release history
Latest release: today
Maintainer active Present
Recent commit activity Repository
Last commit: today
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: today
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: today
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: today
0.8/10 Security Score
Dependency Exposure 230 transitive dependency CVEs found in the latest SBOM. 11 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

Max EPSS 0.569

freshness

1.00 / 1.0

Up to date

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 11c/91h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 0d

Operational risk

operational risk

1.5

10%

kev exposure: detected epss max: 0.569
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
11 Transitive critical CVEs
0 KEV-transitive CVEs
50% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2026-42208 CRITICAL 98%ile v0.174.0 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

5680 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

11

High

91

Medium

101

Low

20

Unknown

7

Still affecting latest (6) All (230)
Critical 11 High 91 Medium 101 Low 20 Unknown 7
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2018-20060 critical urllib3 v0.174.0
CVE-2021-41945 critical httpx v0.174.0
CVE-2024-2952 critical litellm v0.174.0
CVE-2024-5751 critical litellm v0.174.0
CVE-2025-7783 critical form-data 4.0.3 v0.174.0
CVE-2026-25896 critical fast-xml-parser 5.2.5 v0.174.0
CVE-2026-33937 critical handlebars 4.7.8 v0.174.0
CVE-2026-35030 critical litellm v0.174.0
CVE-2026-41242 critical protobufjs 7.5.4 v0.174.0
CVE-2026-42208 critical litellm v0.175.0
GHSA-5mg7-485q-xm76 critical litellm v0.174.0
CVE-2018-1000518 high websockets v0.174.0
CVE-2019-11324 high urllib3 v0.174.0
CVE-2020-7212 high urllib3 v0.174.0
CVE-2021-33503 high urllib3 v0.174.0
CVE-2021-33880 high websockets v0.174.0
CVE-2023-43804 high urllib3 v0.174.0
CVE-2024-10188 high litellm v0.174.0
CVE-2024-23334 high aiohttp 3.8.4 v0.174.0
CVE-2024-24762 high python-multipart v0.174.0
CVE-2024-30251 high aiohttp 3.8.4 v0.174.0
CVE-2024-39338 high axios 1.6.1 v0.174.0
CVE-2024-4264 high litellm v0.174.0
CVE-2024-4888 high litellm v0.174.0
CVE-2024-53981 high python-multipart v0.174.0
CVE-2024-6587 high litellm v0.174.0
CVE-2024-6825 high litellm v0.174.0
CVE-2024-8984 high litellm v0.174.0
CVE-2024-9606 high litellm v0.174.0
CVE-2025-0330 high litellm v0.174.0
CVE-2025-0628 high litellm v0.174.0
CVE-2025-12758 high validator 13.12.0 v0.174.0
CVE-2025-27152 high axios 1.6.1 v0.174.0
CVE-2025-58754 high axios 1.6.1 v0.174.0
CVE-2025-64756 high glob 10.4.5 v0.174.0
CVE-2025-66020 high valibot 1.0.0 v0.174.0
CVE-2025-66418 high urllib3 v0.174.0
CVE-2025-66471 high urllib3 v0.174.0
CVE-2025-69223 high aiohttp 3.8.4 v0.174.0
CVE-2026-1526 high undici 5.29.0 v0.174.0
CVE-2026-21441 high urllib3 v0.174.0
CVE-2026-22029 high @remix-run/router 1.22.0 v0.174.0
CVE-2026-2229 high undici 5.29.0 v0.174.0
CVE-2026-2359 high multer 2.0.2 v0.174.0
CVE-2026-23745 high tar 7.4.4 v0.174.0
CVE-2026-23949 high jaraco-context 6.0.1 v0.174.0
CVE-2026-23950 high tar 7.4.4 v0.174.0
CVE-2026-24486 high python-multipart v0.174.0
CVE-2026-24842 high tar 7.4.4 v0.174.0
CVE-2026-25128 high fast-xml-parser 5.2.5 v0.174.0
CVE-2026-25639 high axios 1.6.1 v0.174.0
CVE-2026-25990 high pillow 11.3.0 v0.174.0
CVE-2026-26007 high cryptography 43.0.3 v0.174.0
CVE-2026-26278 high fast-xml-parser 5.2.5 v0.174.0
CVE-2026-26960 high tar 7.4.4 v0.174.0
CVE-2026-26996 high minimatch 9.0.3 v0.174.0
CVE-2026-27903 high minimatch 9.0.3 v0.174.0
CVE-2026-27904 high minimatch 9.0.3 v0.174.0
CVE-2026-27959 high koa 3.0.1 v0.174.0
CVE-2026-29074 high svgo 3.3.2 v0.174.0
CVE-2026-29786 high tar 7.4.4 v0.174.0
CVE-2026-31802 high tar 7.4.4 v0.174.0
CVE-2026-32274 high black 23.12.1 v0.174.0
CVE-2026-33036 high fast-xml-parser 5.2.5 v0.174.0
CVE-2026-3304 high multer 2.0.2 v0.174.0
CVE-2026-33540 high github.com/distribution/distribution/v3 v3.0.0 v0.174.0
CVE-2026-33671 high picomatch 4.0.2 v0.174.0
CVE-2026-33938 high handlebars 4.7.8 v0.174.0
CVE-2026-33939 high handlebars 4.7.8 v0.174.0
CVE-2026-33940 high handlebars 4.7.8 v0.174.0
CVE-2026-33941 high handlebars 4.7.8 v0.174.0
CVE-2026-34040 high github.com/docker/docker v28.5.2+incompatible v0.174.0
CVE-2026-35029 high litellm v0.174.0
CVE-2026-35172 high github.com/distribution/distribution/v3 v3.0.0 v0.174.0
CVE-2026-3520 high multer 2.0.2 v0.174.0
CVE-2026-35209 high defu 6.1.4 v0.174.0
CVE-2026-39363 high vite 7.3.1 v0.174.0
CVE-2026-39364 high vite 7.3.1 v0.174.0
CVE-2026-39983 high basic-ftp 5.2.0 v0.174.0
CVE-2026-40192 high pillow 11.3.0 v0.174.0
CVE-2026-40879 high @nestjs/microservices 11.1.8 v0.174.0
CVE-2026-41324 high basic-ftp 5.2.0 v0.174.0
CVE-2026-42033 high axios 1.6.1 v0.174.0
CVE-2026-42035 high axios 1.6.1 v0.174.0
CVE-2026-42043 high axios 1.6.1 v0.174.0
CVE-2026-42203 high litellm v0.174.0
CVE-2026-42264 high axios 1.6.1 v0.174.0
CVE-2026-42271 high litellm v0.174.0
CVE-2026-42311 high pillow 11.3.0 v0.174.0
CVE-2026-42561 high python-multipart v0.174.0
CVE-2026-44240 high basic-ftp 5.2.0 v0.174.0
CVE-2026-44665 high fast-xml-builder 1.1.4 v0.174.0
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.27.1 v0.174.0
CVE-2026-4800 high lodash 4.17.21 v0.174.0
CVE-2026-4867 high path-to-regexp 0.1.12 v0.174.0
CVE-2026-4926 high path-to-regexp 8.2.0 v0.174.0
CVE-2026-6321 high fast-uri 3.1.0 v0.174.0
CVE-2026-6322 high fast-uri 3.1.0 v0.174.0
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.2 v0.174.0
GHSA-69x8-hrgq-fjj8 high litellm v0.174.0
GHSA-6v7q-wjvx-w8wg high basic-ftp 5.2.0 v0.174.0
GHSA-c4rq-3m3g-8wgx high nokogiri 1.19.1 v0.174.0
CVE-2016-9015 medium urllib3 v0.174.0
CVE-2018-25091 medium urllib3 v0.174.0
CVE-2019-11236 medium urllib3 v0.174.0
CVE-2020-26137 medium urllib3 v0.174.0
CVE-2021-28363 medium urllib3 v0.174.0
CVE-2021-29510 medium pydantic v0.174.0
CVE-2023-37276 medium aiohttp 3.8.4 v0.174.0
CVE-2023-45803 medium urllib3 v0.174.0
CVE-2023-47627 medium aiohttp 3.8.4 v0.174.0
CVE-2023-49081 medium aiohttp 3.8.4 v0.174.0
CVE-2023-49082 medium aiohttp 3.8.4 v0.174.0
CVE-2024-21503 medium black 23.12.1 v0.174.0
CVE-2024-23829 medium aiohttp 3.8.4 v0.174.0
CVE-2024-27306 medium aiohttp 3.8.4 v0.174.0
CVE-2024-3772 medium pydantic v0.174.0
CVE-2024-37891 medium urllib3 v0.174.0
CVE-2024-4890 medium litellm v0.174.0
CVE-2024-5225 medium litellm v0.174.0
CVE-2024-52304 medium aiohttp 3.8.4 v0.174.0
CVE-2024-5710 medium litellm v0.174.0
CVE-2025-12695 medium dspy 2.6.0 v0.174.0
CVE-2025-13465 medium lodash 4.17.21 v0.174.0
CVE-2025-13466 medium body-parser 2.2.0 v0.174.0
CVE-2025-15284 medium qs 6.13.1 v0.174.0
CVE-2025-50181 medium urllib3 v0.174.0
CVE-2025-50182 medium urllib3 v0.174.0
CVE-2025-56200 medium validator 13.12.0 v0.174.0
CVE-2025-62522 medium vite 5.4.20 v0.174.0
CVE-2025-62595 medium koa 3.0.1 v0.174.0
CVE-2025-62718 medium axios 1.6.1 v0.174.0
CVE-2025-64718 medium js-yaml 4.1.0 v0.174.0
CVE-2025-68146 medium filelock 3.19.1 v0.174.0
CVE-2025-68470 medium react-router 6.29.0 v0.174.0
CVE-2025-69227 medium aiohttp 3.8.4 v0.174.0
CVE-2025-69228 medium aiohttp 3.8.4 v0.174.0
CVE-2025-69229 medium aiohttp 3.8.4 v0.174.0
CVE-2025-69873 medium ajv 8.17.1 v0.174.0
CVE-2025-71176 medium pytest 8.4.2 v0.174.0
CVE-2026-1525 medium undici 5.29.0 v0.174.0
CVE-2026-1527 medium undici 5.29.0 v0.174.0
CVE-2026-22036 medium undici 5.29.0 v0.174.0
CVE-2026-22701 medium filelock 3.19.1 v0.174.0
CVE-2026-22815 medium aiohttp 3.8.4 v0.174.0
CVE-2026-2327 medium markdown-it 14.1.0 v0.174.0
CVE-2026-25645 medium requests 2.32.5 v0.174.0
CVE-2026-2739 medium bn.js 4.12.2 v0.174.0
CVE-2026-28684 medium python-dotenv v0.174.0
CVE-2026-2950 medium lodash 4.17.21 v0.174.0
CVE-2026-31808 medium file-type 21.0.0 v0.174.0
CVE-2026-32630 medium file-type 21.0.0 v0.174.0
CVE-2026-33349 medium fast-xml-parser 5.2.5 v0.174.0
CVE-2026-33532 medium yaml 1.10.2 v0.174.0
CVE-2026-33672 medium picomatch 4.0.2 v0.174.0
CVE-2026-33750 medium brace-expansion 2.0.2 v0.174.0
CVE-2026-33916 medium handlebars 4.7.8 v0.174.0
CVE-2026-33997 medium github.com/docker/docker v28.5.2+incompatible v0.174.0
CVE-2026-34043 medium serialize-javascript 6.0.2 v0.174.0
CVE-2026-34515 medium aiohttp 3.8.4 v0.174.0
CVE-2026-34516 medium aiohttp 3.8.4 v0.174.0
CVE-2026-34525 medium aiohttp 3.8.4 v0.174.0
CVE-2026-35515 medium @nestjs/core 11.1.8 v0.174.0
CVE-2026-39365 medium vite 7.3.1 v0.174.0
CVE-2026-39406 medium @hono/node-server 1.19.12 v0.174.0
CVE-2026-39407 medium hono 4.12.10 v0.174.0
CVE-2026-39408 medium hono 4.12.10 v0.174.0
CVE-2026-39409 medium hono 4.12.10 v0.174.0
CVE-2026-39410 medium hono 4.12.10 v0.174.0
CVE-2026-40175 medium axios 1.6.1 v0.174.0
CVE-2026-40347 medium python-multipart v0.174.0
CVE-2026-41067 medium astro 6.1.5 v0.174.0
CVE-2026-41305 medium postcss 8.5.5 v0.174.0
CVE-2026-41322 medium @astrojs/node 10.0.4 v0.174.0
CVE-2026-41493 medium yard 0.9.38 v0.174.0
CVE-2026-41506 medium github.com/go-git/go-git/v5 v5.17.1 v0.174.0
CVE-2026-41650 medium fast-xml-parser 5.2.5 v0.174.0
CVE-2026-41888 medium github.com/distribution/distribution/v3 v3.0.0 v0.174.0
CVE-2026-41907 medium uuid 11.1.0 v0.174.0
CVE-2026-42034 medium axios 1.6.1 v0.174.0
CVE-2026-42036 medium axios 1.6.1 v0.174.0
CVE-2026-42037 medium axios 1.6.1 v0.174.0
CVE-2026-42038 medium axios 1.6.1 v0.174.0
CVE-2026-42039 medium axios 1.6.1 v0.174.0
CVE-2026-42041 medium axios 1.6.1 v0.174.0
CVE-2026-42042 medium axios 1.6.1 v0.174.0
CVE-2026-42044 medium axios 1.6.1 v0.174.0
CVE-2026-42308 medium pillow 11.3.0 v0.174.0
CVE-2026-42309 medium pillow 11.3.0 v0.174.0
CVE-2026-42310 medium pillow 11.3.0 v0.174.0
CVE-2026-42338 medium ip-address 10.0.1 v0.174.0
CVE-2026-44455 medium hono 4.12.10 v0.174.0
CVE-2026-44456 medium hono 4.12.10 v0.174.0
CVE-2026-4923 medium path-to-regexp 8.2.0 v0.174.0
GHSA-26pp-8wgv-hjvm medium hono 4.12.10 v0.174.0
GHSA-458j-xx4x-4375 medium hono 4.12.10 v0.174.0
GHSA-67mh-4wv8-2f99 medium esbuild 0.21.5 v0.174.0
GHSA-7rx3-28cr-v5wh medium handlebars 4.7.8 v0.174.0
GHSA-pjjw-qhg8-p2p9 medium aiohttp 3.8.4 v0.174.0
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.11 v0.174.0
GHSA-v2fc-qm4h-8hqv medium nokogiri 1.19.1 v0.174.0
GHSA-v3rj-xjv7-4jmq medium smol-toml 1.6.0 v0.174.0
GHSA-vvjj-xcjg-gr5g medium nodemailer 8.0.4 v0.174.0
CVE-2024-12797 low cryptography 43.0.3 v0.174.0
CVE-2025-14505 low elliptic 6.6.1 v0.174.0
CVE-2025-53643 low aiohttp 3.8.4 v0.174.0
CVE-2025-69224 low aiohttp 3.8.4 v0.174.0
CVE-2025-69225 low aiohttp 3.8.4 v0.174.0
CVE-2025-69226 low aiohttp 3.8.4 v0.174.0
CVE-2025-69230 low aiohttp 3.8.4 v0.174.0
CVE-2025-7339 low on-headers 1.0.2 v0.174.0
CVE-2026-2391 low qs 6.13.1 v0.174.0
CVE-2026-27942 low fast-xml-parser 5.2.5 v0.174.0
CVE-2026-34073 low cryptography 43.0.3 v0.174.0
CVE-2026-3449 low @tootallnate/once 2.0.0 v0.174.0
CVE-2026-34513 low aiohttp 3.8.4 v0.174.0
CVE-2026-34514 low aiohttp 3.8.4 v0.174.0
CVE-2026-34517 low aiohttp 3.8.4 v0.174.0
CVE-2026-34518 low aiohttp 3.8.4 v0.174.0
CVE-2026-34519 low aiohttp 3.8.4 v0.174.0
CVE-2026-34520 low aiohttp 3.8.4 v0.174.0
CVE-2026-42040 low axios 1.6.1 v0.174.0
GHSA-442j-39wm-28r2 low handlebars 4.7.8 v0.174.0
CVE-2020-8911 unknown github.com/aws/aws-sdk-go v1.55.5 v0.174.0
CVE-2020-8912 unknown github.com/aws/aws-sdk-go v1.55.5 v0.174.0
CVE-2026-33812 unknown golang.org/x/image v0.38.0 v0.174.0
CVE-2026-33813 unknown golang.org/x/image v0.38.0 v0.174.0
CVE-2026-33814 unknown golang.org/x/net v0.52.0 v0.174.0
MAL-2026-2144 unknown litellm v0.174.0
PYSEC-2026-2 unknown litellm v0.174.0

Showing 230 of 230

Beta — feedback welcome: [email protected]