Skip to content
Tools / edit-mind / Security

Security Deep Dive

edit-mind

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v0.22.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

14 versions tracked
Version Published C H M L KEV Notes
v0.22.0 2026-05-18
Latest Patches CVE-2023-4863
v0.21.0 2026-04-24 1 KEV 1
v0.20.4 2026-03-17 1 KEV 1
v0.20.3 2026-03-15 1 KEV 1
v0.20.2 2026-03-15 1 KEV 1
v0.20.1 2026-03-14 1 KEV 1
v0.20.0 2026-03-14 1 KEV 1
v0.14.5 2026-03-10 1 KEV 1
v0.14.4 2026-03-04 1 KEV 1
v0.14.3 2026-02-25 1 KEV 1
v0.14.2 2026-02-24 1 KEV 1
v0.14.1 2026-01-30 1 KEV 1
v0.14.0 2026-01-28 1 KEV 1
v0.13.0 2026-01-15 1 KEV 1
✗ Signed ✗ SLSA — SBOM ✗ Security policy Weekly cadence · 4d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Absent
Latest release artifact signature None
Last verified: 11d ago
SLSA provenance Absent
Attestation predicate level Latest release
Last verified: 11d ago
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
4d median over recent releases Release history
Latest release: 16d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 15d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 16d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 16d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 16d ago
0.5/10 Security Score
Dependency Exposure 61 transitive dependency CVEs found in the latest SBOM. 3 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.00 / 0.5

Max EPSS 0.933

freshness

1.00 / 1.0

14d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 3c/23h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 73.7/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

2.6

10%

supply chain risk: 73.69 transitive cves: 3c/23h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 14d

Operational risk

operational risk

0.0

10%

kev exposure: detected epss max: 0.933
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 73.7/100
3 Transitive critical CVEs
1 KEV-transitive CVEs
65% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2023-4863 HIGH 99%ile v0.22.0 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

1017 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

3

High

23

Medium

29

Low

5

Unknown

1

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (2) All (61)
Critical 3 High 23 Medium 29 Low 5 Unknown 1
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2019-6446 critical numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2023-50447 critical pillow 9.3.0 v0.22.0
CVE-2023-6730 critical transformers 4.35.0 v0.22.0
CVE-2014-1858 high numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2014-1859 high numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2017-12852 high numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2021-41495 high numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2023-44271 high pillow 9.3.0 v0.22.0
CVE-2023-4863 high KEV pillow 9.3.0
CVE-2023-7018 high transformers 4.35.0 v0.22.0
CVE-2024-11392 high transformers 4.35.0 v0.22.0
CVE-2024-11393 high transformers 4.35.0 v0.22.0
CVE-2024-11394 high transformers 4.35.0 v0.22.0
CVE-2024-24762 high python-multipart 0.0.6 v0.22.0
CVE-2024-28219 high pillow 9.3.0 v0.22.0
CVE-2024-53981 high python-multipart 0.0.6 v0.22.0
CVE-2026-24486 high python-multipart 0.0.6 v0.22.0
CVE-2026-33151 high socket.io-parser 4.2.5 v0.22.0
CVE-2026-33671 high picomatch 2.3.1 v0.22.0
CVE-2026-35209 high defu 6.1.4 v0.22.0
CVE-2026-42561 high python-multipart 0.0.6 v0.22.0
CVE-2026-43893 high exiftool-vendored 31.3.0 v0.22.0
CVE-2026-4867 high path-to-regexp 0.1.12 v0.22.0
CVE-2026-4926 high path-to-regexp 8.3.0 v0.22.0
CVE-2026-6321 high fast-uri 3.1.0 v0.22.0
CVE-2026-6322 high fast-uri 3.1.0 v0.22.0
CVE-2021-34141 medium numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2021-41496 medium numpy 1.24.0,< 2.0.0 v0.22.0
CVE-2024-12720 medium transformers 4.35.0 v0.22.0
CVE-2024-5206 medium scikit-learn 1.3.0 v0.22.0
CVE-2025-1194 medium transformers 4.35.0 v0.22.0
CVE-2025-2099 medium transformers 4.35.0 v0.22.0
CVE-2025-3263 medium transformers 4.35.0 v0.22.0
CVE-2025-3264 medium transformers 4.35.0 v0.22.0
CVE-2025-3730 medium torch 2.6.0 v0.22.0
CVE-2025-3933 medium transformers 4.35.0 v0.22.0
CVE-2025-5197 medium transformers 4.35.0 v0.22.0
CVE-2025-6051 medium transformers 4.35.0 v0.22.0
CVE-2025-6638 medium transformers 4.35.0 v0.22.0
CVE-2025-6921 medium transformers 4.35.0 v0.22.0
CVE-2025-69873 medium ajv 8.17.1 v0.22.0
CVE-2025-71176 medium pytest v0.22.0
CVE-2026-1245 medium binary-parser 2.2.1 v0.22.0
CVE-2026-1839 medium transformers 4.35.0 v0.22.0
CVE-2026-28684 medium python-dotenv 1.2.1 v0.22.0
CVE-2026-33532 medium yaml 2.8.1 v0.22.0
CVE-2026-33672 medium picomatch 2.3.1 v0.22.0
CVE-2026-40347 medium python-multipart 0.0.6 v0.22.0
CVE-2026-41907 medium uuid 11.1.0 v0.22.0
CVE-2026-42308 medium pillow 9.3.0 v0.22.0
CVE-2026-42310 medium pillow 9.3.0 v0.22.0
CVE-2026-42338 medium ip-address 10.1.0 v0.22.0
CVE-2026-4923 medium path-to-regexp 8.3.0 v0.22.0
GHSA-67mh-4wv8-2f99 medium esbuild 0.21.5 v0.22.0
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.11 v0.22.0
CVE-2024-34062 low tqdm 4.66.0 v0.22.0
CVE-2024-3568 low transformers 4.35.0 v0.22.0
CVE-2025-2953 low torch 2.6.0 v0.22.0
CVE-2025-3777 low transformers 4.35.0 v0.22.0
CVE-2026-2391 low qs 6.14.1 v0.22.0
PYSEC-2023-175 unknown pillow 9.3.0 v0.22.0

Showing 61 of 61

Beta — feedback welcome: [email protected]