Skip to content
Tools / DB-GPT / Security

Security Deep Dive

DB-GPT

Security posture and CVE patch evidence from tracked releases.

Back to Tool

16 critical dependency CVEs affects v0.8.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Unknown cadence Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence Unknown
12-release median Release history
Latest release: 2mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 7d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 2mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 2mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 2mo ago
3.8/10 Security Score
Dependency Exposure 302 transitive dependency CVEs found in the latest SBOM. 16 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

7d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 36c/165h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 36c/165h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 7d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
16 Transitive critical CVEs
0 KEV-transitive CVEs
30% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

5990 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

16

High

126

Medium

125

Low

35

Unknown

0

Still affecting latest (302) All (414)
Critical 16 High 126 Medium 125 Low 35
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2023-48022 critical ray 2.44.1
CVE-2024-48063 critical torch 2.2.2
CVE-2024-9052 critical vllm 0.7.2
CVE-2025-29783 critical vllm 0.7.2
CVE-2025-29927 critical next 13.4.7
CVE-2025-32434 critical torch 2.2.2
CVE-2025-32444 critical vllm 0.7.2
CVE-2025-34351 critical ray 2.44.1
CVE-2025-43859 critical h11 0.14.0
CVE-2025-47277 critical vllm 0.7.2
CVE-2025-62593 critical ray 2.44.1
CVE-2025-68664 critical langchain-core 0.3.51
CVE-2025-7783 critical form-data 4.0.0
CVE-2026-27962 critical authlib 1.3.1
GHSA-ggpf-24jw-3fcw critical vllm 0.7.2
GHSA-q849-wxrc-vqrp critical hull.js 1.0.6
CVE-2024-21536 high http-proxy-middleware 2.0.6
CVE-2024-21538 high cross-spawn 7.0.3
CVE-2024-23334 high aiohttp 3.8.4
CVE-2024-29180 high webpack-dev-middleware 5.3.3
CVE-2024-30251 high aiohttp 3.8.4
CVE-2024-34350 high next 13.4.7
CVE-2024-34351 high next 13.4.7
CVE-2024-37890 high ws 7.5.9
CVE-2024-39338 high axios 1.7.2
CVE-2024-39693 high next 13.4.7
CVE-2024-4068 high braces 3.0.2
CVE-2024-4340 high sqlparse 0.4.4
CVE-2024-45296 high path-to-regexp 2.2.1
CVE-2024-45590 high body-parser 1.20.1
CVE-2024-45801 high dompurify 3.0.9
CVE-2024-47068 high rollup 0.25.8
CVE-2024-47874 high starlette 0.38.6
CVE-2024-47875 high dompurify 3.0.9
CVE-2024-51479 high next 13.4.7
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2025-12758 high validator 13.12.0
CVE-2025-12816 high node-forge 1.3.1
CVE-2025-27152 high axios 1.7.2
CVE-2025-30165 high vllm 0.7.2
CVE-2025-30167 high jupyter-core 5.7.2
CVE-2025-30202 high vllm 0.7.2
CVE-2025-4565 high protobuf 5.29.4
CVE-2025-47273 high setuptools 78.1.0
CVE-2025-47287 high tornado 6.4.2
CVE-2025-47935 high multer 1.4.5-lts.1
CVE-2025-47944 high multer 1.4.5-lts.1
CVE-2025-48379 high pillow 11.2.1
CVE-2025-48956 high vllm 0.7.2
CVE-2025-48997 high multer 1.4.5-lts.1
CVE-2025-53000 high nbconvert 7.16.6
CVE-2025-57809 high xgrammar 0.1.18
CVE-2025-58754 high axios 1.7.2
CVE-2025-59420 high authlib 1.3.1
CVE-2025-59425 high vllm 0.7.2
CVE-2025-61920 high authlib 1.3.1
CVE-2025-62372 high vllm 0.7.2
CVE-2025-6242 high vllm 0.7.2
CVE-2025-62611 high aiomysql 0.2.0
CVE-2025-64512 high pdfminer-six 20250327
CVE-2025-64756 high glob 10.4.2
CVE-2025-65106 high langchain-core 0.3.51
CVE-2025-65945 high jws 4.0.0
CVE-2025-66031 high node-forge 1.3.1
CVE-2025-66448 high vllm 0.7.2
CVE-2025-67221 high orjson 3.10.16
CVE-2025-69223 high aiohttp 3.8.4
CVE-2025-6984 high langchain-community 0.3.21
CVE-2025-6985 high langchain-text-splitters 0.3.8
CVE-2025-70559 high pdfminer-six 20250327
CVE-2025-7338 high multer 1.4.5-lts.1
CVE-2026-0994 high protobuf 5.29.4
CVE-2026-1260 high sentencepiece 0.2.0
CVE-2026-21441 high urllib3 2.6.1
CVE-2026-23490 high pyasn1 0.6.1
CVE-2026-2359 high multer 1.4.5-lts.1
CVE-2026-23949 high jaraco-context 6.0.1
CVE-2026-24486 high python-multipart 0.0.20
CVE-2026-24779 high vllm 0.7.2
CVE-2026-25048 high xgrammar 0.1.18
CVE-2026-25639 high axios 1.7.2
CVE-2026-25990 high pillow 11.2.1
CVE-2026-26007 high cryptography 44.0.2
CVE-2026-26996 high minimatch 3.1.2
CVE-2026-27606 high rollup 0.25.8
CVE-2026-27903 high minimatch 3.1.2
CVE-2026-27904 high minimatch 3.1.2
CVE-2026-28490 high authlib 1.3.1
CVE-2026-28498 high authlib 1.3.1
CVE-2026-29074 high svgo 3.3.2
CVE-2026-30922 high pyasn1 0.6.1
CVE-2026-30951 high sequelize 6.37.3
CVE-2026-31958 high tornado 6.4.2
CVE-2026-32141 high flatted 3.3.1
CVE-2026-32274 high black 22.8.0
CVE-2026-32874 high ujson 5.10.0
CVE-2026-32875 high ujson 5.10.0
CVE-2026-3304 high multer 1.4.5-lts.1
CVE-2026-33079 high mistune 3.1.3
CVE-2026-33228 high flatted 3.3.1
CVE-2026-33671 high picomatch 2.3.1
CVE-2026-33891 high node-forge 1.3.1
CVE-2026-33894 high node-forge 1.3.1
CVE-2026-33895 high node-forge 1.3.1
CVE-2026-33896 high node-forge 1.3.1
CVE-2026-34070 high langchain-core 0.3.51
CVE-2026-34591 high poetry 2.1.2
CVE-2026-3520 high multer 1.4.5-lts.1
CVE-2026-35397 high jupyter-server 2.15.0
CVE-2026-35536 high tornado 6.4.2
CVE-2026-40110 high jupyter-server 2.15.0
CVE-2026-40171 high notebook 7.4.0
CVE-2026-40171 high jupyterlab 4.4.0
CVE-2026-40192 high pillow 11.2.1
CVE-2026-40934 high jupyter-server 2.15.0
CVE-2026-41066 high lxml 5.3.2
CVE-2026-42033 high axios 1.7.2
CVE-2026-42035 high axios 1.7.2
CVE-2026-42043 high axios 1.7.2
CVE-2026-42215 high gitpython 3.1.44
CVE-2026-42264 high axios 1.7.2
CVE-2026-42266 high jupyterlab 4.4.0
CVE-2026-42284 high gitpython 3.1.44
CVE-2026-42311 high pillow 11.2.1
CVE-2026-42557 high notebook 7.4.0
CVE-2026-42557 high jupyterlab 4.4.0
CVE-2026-42561 high python-multipart 0.0.20
CVE-2026-44243 high gitpython 3.1.44
CVE-2026-44244 high gitpython 3.1.44
CVE-2026-44307 high mako 1.3.10
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.23.9
CVE-2026-4800 high lodash 4.17.21
CVE-2026-4800 high lodash-es 4.17.21
CVE-2026-4867 high path-to-regexp 0.1.7
GHSA-36jr-mh4h-2g58 high d3-color 2.0.0
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.1
GHSA-5j59-xgg2-r9c4 high next 13.4.7
GHSA-h25m-26qc-wcjf high next 13.4.7
GHSA-m4gq-x24j-jpmf high mermaid 10.8.0
GHSA-m5qc-5hw7-8vg7 high image-size 1.1.1
GHSA-mwv6-3258-q52c high next 13.4.7
GHSA-q4gf-8mx6-v5v3 high next 13.4.7
CVE-2023-26159 medium follow-redirects 1.15.2
CVE-2023-37276 medium aiohttp 3.8.4
CVE-2023-4316 medium zod 3.21.4
CVE-2023-44270 medium postcss 8.4.14
CVE-2023-47627 medium aiohttp 3.8.4
CVE-2023-49081 medium aiohttp 3.8.4
CVE-2023-49082 medium aiohttp 3.8.4
CVE-2024-11831 medium serialize-javascript 6.0.1
CVE-2024-21503 medium black 22.8.0
CVE-2024-23829 medium aiohttp 3.8.4
CVE-2024-27306 medium aiohttp 3.8.4
CVE-2024-28849 medium follow-redirects 1.15.2
CVE-2024-29041 medium express 4.18.2
CVE-2024-4067 medium micromatch 4.0.5
CVE-2024-43788 medium webpack 5.90.3
CVE-2024-47081 medium requests 2.32.3
CVE-2024-47831 medium next 13.4.7
CVE-2024-52304 medium aiohttp 3.8.4
CVE-2024-53382 medium prismjs 1.29.0
CVE-2024-55565 medium nanoid 3.3.7
CVE-2024-56332 medium next 13.4.7
CVE-2025-13465 medium lodash-es 4.17.21
CVE-2025-13465 medium lodash 4.17.21
CVE-2025-15284 medium qs 6.11.0
CVE-2025-26791 medium dompurify 3.0.9
CVE-2025-27789 medium @babel/helpers 7.24.0
CVE-2025-27789 medium @babel/runtime-corejs3 7.24.0
CVE-2025-27789 medium @babel/runtime 7.24.0
CVE-2025-29770 medium vllm 0.7.2
CVE-2025-30359 medium webpack-dev-server 4.15.1
CVE-2025-30360 medium webpack-dev-server 4.15.1
CVE-2025-32014 medium estree-util-value-to-estree 3.0.1
CVE-2025-32996 medium http-proxy-middleware 2.0.6
CVE-2025-32997 medium http-proxy-middleware 2.0.6
CVE-2025-3730 medium torch 2.2.2
CVE-2025-46722 medium vllm 0.7.2
CVE-2025-48887 medium vllm 0.7.2
CVE-2025-54121 medium starlette 0.38.6
CVE-2025-55173 medium next 13.4.7
CVE-2025-56200 medium validator 13.12.0
CVE-2025-57752 medium next 13.4.7
CVE-2025-57822 medium next 13.4.7
CVE-2025-59471 medium next 13.4.7
CVE-2025-61620 medium vllm 0.7.2
CVE-2025-61669 medium jupyter-server 2.15.0
CVE-2025-62426 medium vllm 0.7.2
CVE-2025-62608 medium mlx 0.26.1
CVE-2025-62609 medium mlx 0.26.1
CVE-2025-62706 medium authlib 1.3.1
CVE-2025-62718 medium axios 1.7.2
CVE-2025-64718 medium js-yaml 4.1.0
CVE-2025-66030 medium node-forge 1.3.1
CVE-2025-66034 medium fonttools 4.57.0
CVE-2025-66400 medium mdast-util-to-hast 13.1.0
CVE-2025-68146 medium filelock 3.18.0
CVE-2025-68158 medium authlib 1.3.1
CVE-2025-68480 medium marshmallow 3.26.1
CVE-2025-69227 medium aiohttp 3.8.4
CVE-2025-69228 medium aiohttp 3.8.4
CVE-2025-69229 medium aiohttp 3.8.4
CVE-2025-69872 medium diskcache 5.6.3
CVE-2025-69873 medium ajv 6.12.6
CVE-2025-71176 medium pytest 8.3.5
CVE-2025-8869 medium pip 25.0.1
CVE-2026-22701 medium filelock 3.18.0
CVE-2026-22702 medium virtualenv 20.30.0
CVE-2026-22773 medium vllm 0.7.2
CVE-2026-22815 medium aiohttp 3.8.4
CVE-2026-2327 medium markdown-it 14.1.0
CVE-2026-25645 medium requests 2.32.3
CVE-2026-27482 medium ray 2.44.1
CVE-2026-27837 medium dottie 2.0.6
CVE-2026-27980 medium next 13.4.7
CVE-2026-28684 medium python-dotenv 1.0.0
CVE-2026-29057 medium next 13.4.7
CVE-2026-2950 medium lodash-es 4.17.21
CVE-2026-2950 medium lodash 4.17.21
CVE-2026-3219 medium pip 25.0.1
CVE-2026-33532 medium yaml 1.10.2
CVE-2026-33672 medium picomatch 2.3.1
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 6.0.1
CVE-2026-34515 medium aiohttp 3.8.4
CVE-2026-34516 medium aiohttp 3.8.4
CVE-2026-34525 medium aiohttp 3.8.4
CVE-2026-34755 medium vllm 0.7.2
CVE-2026-34756 medium vllm 0.7.2
CVE-2026-39377 medium nbconvert 7.16.6
CVE-2026-39378 medium nbconvert 7.16.6
CVE-2026-40087 medium langchain-core 0.3.51
CVE-2026-40175 medium axios 1.7.2
CVE-2026-40347 medium python-multipart 0.0.20
CVE-2026-41182 medium langsmith 0.3.31
CVE-2026-41205 medium mako 1.3.10
CVE-2026-41238 medium dompurify 3.0.9
CVE-2026-41239 medium dompurify 3.0.9
CVE-2026-41240 medium dompurify 3.0.9
CVE-2026-41305 medium postcss 8.4.39
CVE-2026-41425 medium authlib 1.3.1
CVE-2026-41481 medium langchain-text-splitters 0.3.8
CVE-2026-42034 medium axios 1.7.2
CVE-2026-42036 medium axios 1.7.2
CVE-2026-42037 medium axios 1.7.2
CVE-2026-42038 medium axios 1.7.2
CVE-2026-42039 medium axios 1.7.2
CVE-2026-42041 medium axios 1.7.2
CVE-2026-42042 medium axios 1.7.2
CVE-2026-42044 medium axios 1.7.2
CVE-2026-42308 medium pillow 11.2.1
CVE-2026-42309 medium pillow 11.2.1
CVE-2026-42310 medium pillow 11.2.1
CVE-2026-44222 medium vllm 0.7.2
CVE-2026-5758 medium protocol-buffers-schema 3.6.0
CVE-2026-6357 medium pip 25.0.1
GHSA-27jp-wm6q-gp25 medium sqlparse 0.4.4
GHSA-39q2-94rc-95cp medium dompurify 3.0.9
GHSA-5jpx-9hw9-2fx4 medium next-auth 4.24.7
GHSA-78cv-mqj4-43f7 medium tornado 6.4.2
GHSA-cj63-jhhr-wcxv medium dompurify 3.0.9
GHSA-cjmm-f4jc-qw8r medium dompurify 3.0.9
GHSA-h8r8-wccr-v5f2 medium dompurify 3.0.9
GHSA-hf3c-wxg2-49q9 medium vllm 0.7.2
GHSA-j828-28rj-hfhp medium vllm 0.7.2
GHSA-pjjw-qhg8-p2p9 medium aiohttp 3.8.4
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.2
CVE-2023-46298 low next 13.4.7
CVE-2024-43796 low express 4.18.2
CVE-2024-43799 low send 0.18.0
CVE-2024-43800 low serve-static 1.15.0
CVE-2024-47764 low cookie 0.5.0
CVE-2025-2953 low torch 2.2.2
CVE-2025-32421 low next 13.4.7
CVE-2025-46570 low vllm 0.7.2
CVE-2025-48068 low next 13.4.7
CVE-2025-53643 low aiohttp 3.8.4
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2025-59842 low jupyterlab 4.4.0
CVE-2025-68157 low webpack 5.90.3
CVE-2025-68458 low webpack 5.90.3
CVE-2025-69224 low aiohttp 3.8.4
CVE-2025-69225 low aiohttp 3.8.4
CVE-2025-69226 low aiohttp 3.8.4
CVE-2025-69230 low aiohttp 3.8.4
CVE-2025-7339 low on-headers 1.0.2
CVE-2026-1703 low pip 25.0.1
CVE-2026-2391 low qs 6.11.0
CVE-2026-24001 low diff 5.2.0
CVE-2026-26013 low langchain-core 0.3.51
CVE-2026-34073 low cryptography 44.0.2
CVE-2026-34513 low aiohttp 3.8.4
CVE-2026-34514 low aiohttp 3.8.4
CVE-2026-34517 low aiohttp 3.8.4
CVE-2026-34518 low aiohttp 3.8.4
CVE-2026-34519 low aiohttp 3.8.4
CVE-2026-34520 low aiohttp 3.8.4
CVE-2026-41140 low poetry 2.1.2
CVE-2026-41488 low langchain-openai 0.3.12
CVE-2026-42040 low axios 1.7.2
CVE-2026-4539 low pygments 2.19.1
CVE-2026-7141 low vllm 0.7.2

Showing 302 of 414

Beta — feedback welcome: [email protected]