Security Deep Dive
llama_index
Security posture and CVE patch evidence from tracked releases.
32 critical dependency CVEs affects v0.14.22.
Audit transitive dependencies; consider upgrading or pinning replacements.
Versions by Severity
CVEs are attributed to tracked releases published before the patch release.
| Version | Published | C | H | M | L | KEV | Notes |
|---|---|---|---|---|---|---|---|
| v0.14.22 | 2026-05-14 | — | — | — | — | — |
Latest
Patches
CVE-2026-42208
|
| v0.14.21 | 2026-04-21 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.20 | 2026-04-03 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.19 | 2026-03-25 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.18 | 2026-03-16 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.16 | 2026-03-10 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.15 | 2026-02-18 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.14 | 2026-02-10 | 1 | — | — | — | KEV 1 |
—
|
| v0.14.13 | 2026-01-21 | 1 | — | — | — | KEV 1 |
—
|
✗ Signed
✗ SLSA
— SBOM
✓ Security policy
Weekly cadence · 13d median
Active maintainer
Trust Signals — 3 of 9 Present
Evidence already collected from releases and repository metadata.
3/9
Present
Signed releases
Absent
Latest release artifact signature
None
Last verified: 14d ago
SLSA provenance
Absent
Attestation predicate level
Latest release
Last verified: 14d ago
SBOM published
Unknown
GitHub SBOM API
Latest release
—
SECURITY.md
Present
GitHub repository metadata
Repository policy
Checked: 23d ago
Release cadence: weekly
Present
13d median over recent releases
Release history
Latest release: 20d ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: 5d ago
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 20d ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 20d ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 20d ago
0.8/10
Security Score
Dependency Exposure
399 transitive dependency
CVEs found in the latest SBOM.
32 critical.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
Max EPSS 0.569
freshness
1.00 / 1.0
5d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.00 / 2.5
No open CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
-1.50 / 1.5
KEV exposure detected
supply chain risk
-1.50 / 10.0
Risk 100.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
direct cves: clear
cve scan: available
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
0.0
10%
supply chain risk: 100.0
transitive cves: 32c/155h
Provenance trust
provenance trust
5.0
40%
scorecard score: estimated
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 5d
Operational risk
operational risk
1.5
10%
kev exposure: detected
epss max: 0.569
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 100.0/100
32
Transitive critical CVEs
0
KEV-transitive CVEs
50%
Dependency freshness
OpenSSF Badge
OpenSSF none
Badge indicates adherence to open-source best practices.
CVE Patch History
Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.
CVEs Patched by Year
Critical
High
Medium
Low
2026
1
| CVE | Severity | EPSS | Disclosed | Fixed in | Days to fix | vs Ecosystem Median | KEV |
|---|---|---|---|---|---|---|---|
| CVE-2026-42208 | CRITICAL | 98%ile | — | v0.14.22 | — | — | KEV |
KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.
Dependency Vulnerabilities
4009 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
32
High
155
Medium
164
Low
36
Unknown
12
Critical
32
High
155
Medium
164
Low
36
Unknown
12
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2012-0805 | critical | — | sqlalchemy | 1.3.12,< 3 | v0.14.22 |
| CVE-2018-20060 | critical | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2019-6446 | critical | — | numpy | — | v0.14.22 |
| CVE-2019-7164 | critical | — | sqlalchemy | 1.3.12,< 3 | v0.14.22 |
| CVE-2019-7548 | critical | — | sqlalchemy | 1.3.12,< 3 | v0.14.22 |
| CVE-2020-10799 | critical | — | svglib | 1.5,< 1.6 | v0.14.22 |
| CVE-2020-17446 | critical | — | asyncpg | 0.30.0,< 0.31 | v0.14.22 |
| CVE-2021-41945 | critical | — | httpx | 0.28.1,< 0.29 | v0.14.22 |
| CVE-2022-45907 | critical | — | torch | — | v0.14.22 |
| CVE-2023-39662 | critical | — | llama-index | — | v0.14.22 |
| CVE-2023-47248 | critical | — | pyarrow | — | v0.14.22 |
| CVE-2023-6730 | critical | — | transformers | — | v0.14.22 |
| CVE-2024-12366 | critical | — | pandasai | 2.3.0 | v0.14.22 |
| CVE-2024-22682 | critical | — | duckdb | 0.10.1,< 1.4.0 | v0.14.22 |
| CVE-2024-23751 | critical | — | llama-index | — | v0.14.22 |
| CVE-2024-2952 | critical | — | litellm | — | v0.14.22 |
| CVE-2024-3098 | critical | — | llama-index-core | 0.10.0,< 0.13 | v0.14.22 |
| CVE-2024-3271 | critical | — | llama-index-core | 0.10.0,< 0.13 | v0.14.22 |
| CVE-2024-33663 | critical | — | python-jose | 3.3.0 | v0.14.22 |
| CVE-2024-36039 | critical | — | pymysql | 1.1.0 | v0.14.22 |
| CVE-2024-3829 | critical | — | qdrant-client | 1.7.1 | v0.14.22 |
| CVE-2024-45201 | critical | — | llama-index-core | 0.10.0,< 0.13 | v0.14.22 |
| CVE-2024-48063 | critical | — | torch | 2.3.1 | v0.14.22 |
| CVE-2024-5751 | critical | — | litellm | — | v0.14.22 |
| CVE-2025-14009 | critical | — | nltk | 3.9.1 | v0.14.22 |
| CVE-2025-1793 | critical | — | llama-index | — | v0.14.22 |
| CVE-2025-32434 | critical | — | torch | 2.3.1 | v0.14.22 |
| CVE-2025-43859 | critical | — | h11 | 0.14.0 | v0.14.22 |
| CVE-2025-64712 | critical | — | unstructured | — | v0.14.22 |
| CVE-2026-35030 | critical | — | litellm | — | v0.14.22 |
| CVE-2026-42208 | critical | — | litellm | 1.83.0 | — |
| GHSA-5mg7-485q-xm76 | critical | — | litellm | — | v0.14.22 |
| CVE-2013-1629 | high | — | pip | — | v0.14.22 |
| CVE-2013-1633 | high | — | setuptools | — | v0.14.22 |
| CVE-2013-5123 | high | — | pip | — | v0.14.22 |
| CVE-2014-1858 | high | — | numpy | — | v0.14.22 |
| CVE-2014-1859 | high | — | numpy | — | v0.14.22 |
| CVE-2016-1516 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-1000450 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-11424 | high | — | pyjwt | — | v0.14.22 |
| CVE-2017-12597 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12598 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12599 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12600 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12601 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12602 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12603 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12604 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12605 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12606 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12852 | high | — | numpy | — | v0.14.22 |
| CVE-2017-12862 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12863 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-12864 | high | — | opencv-python | — | v0.14.22 |
| CVE-2017-14158 | high | — | scrapy | 2.13.3 | v0.14.22 |
| CVE-2017-18009 | high | — | opencv-python | — | v0.14.22 |
| CVE-2018-18074 | high | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2019-11324 | high | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2019-12408 | high | — | pyarrow | — | v0.14.22 |
| CVE-2019-12410 | high | — | pyarrow | — | v0.14.22 |
| CVE-2019-14491 | high | — | opencv-python | — | v0.14.22 |
| CVE-2019-14492 | high | — | opencv-python | — | v0.14.22 |
| CVE-2019-14493 | high | — | opencv-python | — | v0.14.22 |
| CVE-2019-20916 | high | — | pip | — | v0.14.22 |
| CVE-2019-5063 | high | — | opencv-python | — | v0.14.22 |
| CVE-2019-5064 | high | — | opencv-python | — | v0.14.22 |
| CVE-2019-9423 | high | — | opencv-python | — | v0.14.22 |
| CVE-2020-7212 | high | — | urllib3 | — | v0.14.22 |
| CVE-2021-33880 | high | — | websockets | 15.0.1,< 16 | v0.14.22 |
| CVE-2021-3572 | high | — | pip | — | v0.14.22 |
| CVE-2021-41495 | high | — | numpy | — | v0.14.22 |
| CVE-2022-28108 | high | — | selenium | 4.15.1,< 5 | v0.14.22 |
| CVE-2022-29217 | high | — | pyjwt | — | v0.14.22 |
| CVE-2022-40897 | high | — | setuptools | — | v0.14.22 |
| CVE-2023-33953 | high | — | grpcio | 1.60.0,< 2 | v0.14.22 |
| CVE-2023-43804 | high | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2023-45875 | high | — | couchbase | 4.3.5 | v0.14.22 |
| CVE-2023-5590 | high | — | selenium | 4.15.1,< 5 | v0.14.22 |
| CVE-2023-7018 | high | — | transformers | — | v0.14.22 |
| CVE-2024-10188 | high | — | litellm | — | v0.14.22 |
| CVE-2024-11392 | high | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2024-11393 | high | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2024-11394 | high | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2024-12704 | high | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2024-12911 | high | — | llama-index | — | v0.14.22 |
| CVE-2024-1892 | high | — | scrapy | — | v0.14.22 |
| CVE-2024-23334 | high | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-23342 | high | — | ecdsa | 0.19.0 | v0.14.22 |
| CVE-2024-24762 | high | — | fastapi | 0.104.1 | v0.14.22 |
| CVE-2024-28219 | high | — | pillow | 10.2.0 | v0.14.22 |
| CVE-2024-30251 | high | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-31580 | high | — | torch | — | v0.14.22 |
| CVE-2024-31583 | high | — | torch | — | v0.14.22 |
| CVE-2024-3572 | high | — | scrapy | — | v0.14.22 |
| CVE-2024-3574 | high | — | scrapy | — | v0.14.22 |
| CVE-2024-41672 | high | — | duckdb | 0.10.1,< 1.4.0 | v0.14.22 |
| CVE-2024-4181 | high | — | llama-index | — | v0.14.22 |
| CVE-2024-4264 | high | — | litellm | — | v0.14.22 |
| CVE-2024-43805 | high | — | jupyterlab | 4.0.13 | v0.14.22 |
| CVE-2024-43805 | high | — | notebook | 7.0.8 | v0.14.22 |
| CVE-2024-45858 | high | — | guardrails-ai | 0.4.1 | v0.14.22 |
| CVE-2024-47874 | high | — | starlette | 0.27.0 | v0.14.22 |
| CVE-2024-4888 | high | — | litellm | — | v0.14.22 |
| CVE-2024-52595 | high | — | lxml-html-clean | — | v0.14.22 |
| CVE-2024-52804 | high | — | tornado | 6.4.1 | v0.14.22 |
| CVE-2024-53899 | high | — | virtualenv | 20.26.3 | v0.14.22 |
| CVE-2024-6345 | high | — | setuptools | — | v0.14.22 |
| CVE-2024-6587 | high | — | litellm | — | v0.14.22 |
| CVE-2024-6825 | high | — | litellm | — | v0.14.22 |
| CVE-2024-6961 | high | — | guardrails-ai | 0.4.1 | v0.14.22 |
| CVE-2024-8984 | high | — | litellm | — | v0.14.22 |
| CVE-2024-9606 | high | — | litellm | — | v0.14.22 |
| CVE-2025-0330 | high | — | litellm | — | v0.14.22 |
| CVE-2025-0628 | high | — | litellm | — | v0.14.22 |
| CVE-2025-1752 | high | — | llama-index | — | v0.14.22 |
| CVE-2025-1753 | high | — | llama-index-cli | 0.4.0 | v0.14.22 |
| CVE-2025-27154 | high | — | spotipy | 2.23.0 | v0.14.22 |
| CVE-2025-30167 | high | — | jupyter-core | 5.7.2 | v0.14.22 |
| CVE-2025-4565 | high | — | protobuf | 6.30.2 | v0.14.22 |
| CVE-2025-47273 | high | — | setuptools | — | v0.14.22 |
| CVE-2025-47287 | high | — | tornado | 6.4.2 | v0.14.22 |
| CVE-2025-48379 | high | — | pillow | 11.2.1 | v0.14.22 |
| CVE-2025-53000 | high | — | nbconvert | 7.16.6 | v0.14.22 |
| CVE-2025-5302 | high | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-53365 | high | — | mcp | 1.24.0,< 2 | v0.14.22 |
| CVE-2025-53366 | high | — | mcp | 1.24.0,< 2 | v0.14.22 |
| CVE-2025-6176 | high | — | scrapy | 2.13.3 | v0.14.22 |
| CVE-2025-6209 | high | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-62611 | high | — | aiomysql | 0.2.0 | v0.14.22 |
| CVE-2025-62727 | high | — | starlette | 0.45.3 | v0.14.22 |
| CVE-2025-66416 | high | — | mcp | 1.16.0 | v0.14.22 |
| CVE-2025-66418 | high | — | urllib3 | 2.3.0 | v0.14.22 |
| CVE-2025-66471 | high | — | urllib3 | 1.1.0 | v0.14.22 |
| CVE-2025-67221 | high | — | orjson | 3.10.15 | v0.14.22 |
| CVE-2025-69223 | high | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-7647 | high | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-7707 | high | — | llama-index | — | v0.14.22 |
| CVE-2026-0846 | high | — | nltk | 3.9.1 | v0.14.22 |
| CVE-2026-0847 | high | — | nltk | 3.9.1 | v0.14.22 |
| CVE-2026-0994 | high | — | protobuf | 6.30.2 | v0.14.22 |
| CVE-2026-1260 | high | — | sentencepiece | — | v0.14.22 |
| CVE-2026-21226 | high | — | azure-core | 1.35.0 | v0.14.22 |
| CVE-2026-21441 | high | — | urllib3 | 2.3.0 | v0.14.22 |
| CVE-2026-23490 | high | — | pyasn1 | 0.6.1 | v0.14.22 |
| CVE-2026-24486 | high | — | python-multipart | 0.0.18 | v0.14.22 |
| CVE-2026-2473 | high | — | google-cloud-aiplatform | 1.53.0 | v0.14.22 |
| CVE-2026-25990 | high | — | pillow | 11.1.0 | v0.14.22 |
| CVE-2026-26007 | high | — | cryptography | 44.0.2 | v0.14.22 |
| CVE-2026-27459 | high | — | pyopenssl | 25.3.0 | v0.14.22 |
| CVE-2026-27932 | high | — | joserfc | 1.0.4 | v0.14.22 |
| CVE-2026-30922 | high | — | pyasn1 | 0.6.2 | v0.14.22 |
| CVE-2026-31958 | high | — | tornado | 6.5.4 | v0.14.22 |
| CVE-2026-32274 | high | — | black | — | v0.14.22 |
| CVE-2026-32597 | high | — | pyjwt | 2.8.0 | v0.14.22 |
| CVE-2026-32874 | high | — | ujson | 5.10.0 | v0.14.22 |
| CVE-2026-32875 | high | — | ujson | 5.10.0 | v0.14.22 |
| CVE-2026-33079 | high | — | mistune | 3.2.0 | v0.14.22 |
| CVE-2026-33231 | high | — | nltk | 3.9.3 | v0.14.22 |
| CVE-2026-33236 | high | — | nltk | 3.9.1 | v0.14.22 |
| CVE-2026-34444 | high | — | lupa | 2.6 | v0.14.22 |
| CVE-2026-35029 | high | — | litellm | — | v0.14.22 |
| CVE-2026-35397 | high | — | jupyter-server | 2.17.0 | v0.14.22 |
| CVE-2026-35536 | high | — | tornado | 6.5.4 | v0.14.22 |
| CVE-2026-40110 | high | — | jupyter-server | 2.17.0 | v0.14.22 |
| CVE-2026-40171 | high | — | notebook | 7.5.5 | v0.14.22 |
| CVE-2026-40171 | high | — | jupyterlab | 4.5.6 | v0.14.22 |
| CVE-2026-40192 | high | — | pillow | 12.1.1 | v0.14.22 |
| CVE-2026-40934 | high | — | jupyter-server | 2.17.0 | v0.14.22 |
| CVE-2026-41066 | high | — | lxml | 5.1.0 | v0.14.22 |
| CVE-2026-41486 | high | — | ray | 2.54.1 | v0.14.22 |
| CVE-2026-42203 | high | — | litellm | 1.83.0 | v0.14.22 |
| CVE-2026-42215 | high | — | gitpython | 3.1.45 | v0.14.22 |
| CVE-2026-42266 | high | — | jupyterlab | 4.5.6 | v0.14.22 |
| CVE-2026-42271 | high | — | litellm | 1.83.0 | v0.14.22 |
| CVE-2026-42284 | high | — | gitpython | 3.1.45 | v0.14.22 |
| CVE-2026-42311 | high | — | pillow | 12.1.1 | v0.14.22 |
| CVE-2026-42557 | high | — | notebook | 7.5.5 | v0.14.22 |
| CVE-2026-42557 | high | — | jupyterlab | 4.5.6 | v0.14.22 |
| CVE-2026-42561 | high | — | python-multipart | 0.0.22 | v0.14.22 |
| CVE-2026-44209 | high | — | banks | 2.4.1 | v0.14.22 |
| CVE-2026-44243 | high | — | gitpython | 3.1.45 | v0.14.22 |
| CVE-2026-44244 | high | — | gitpython | 3.1.45 | v0.14.22 |
| CVE-2026-44307 | high | — | mako | 1.3.10 | v0.14.22 |
| CVE-2026-44513 | high | — | diffusers | 0.34.0 | v0.14.22 |
| GHSA-69x8-hrgq-fjj8 | high | — | litellm | — | v0.14.22 |
| GHSA-cwxj-rr6w-m6w7 | high | — | scrapy | 2.13.3 | v0.14.22 |
| GHSA-qr4w-53vh-m672 | high | — | opencv-python | — | v0.14.22 |
| CVE-2013-1888 | medium | — | pip | — | v0.14.22 |
| CVE-2013-2132 | medium | — | pymongo | 4.6.1,< 5 | v0.14.22 |
| CVE-2014-1829 | medium | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2014-1830 | medium | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2014-3146 | medium | — | lxml | — | v0.14.22 |
| CVE-2014-8991 | medium | — | pip | — | v0.14.22 |
| CVE-2015-2296 | medium | — | requests | — | v0.14.22 |
| CVE-2016-1517 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2016-9015 | medium | — | urllib3 | — | v0.14.22 |
| CVE-2017-14136 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2017-17760 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2018-19787 | medium | — | lxml | — | v0.14.22 |
| CVE-2018-25091 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2018-5268 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2018-5269 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2019-11236 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2019-15939 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2019-16249 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2019-19624 | medium | — | opencv-python | — | v0.14.22 |
| CVE-2020-26137 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2020-27783 | medium | — | lxml | — | v0.14.22 |
| CVE-2021-28363 | medium | — | urllib3 | — | v0.14.22 |
| CVE-2021-28957 | medium | — | lxml | — | v0.14.22 |
| CVE-2021-29510 | medium | — | pydantic | 2.0,< 3.0 | v0.14.22 |
| CVE-2021-33430 | medium | — | numpy | — | v0.14.22 |
| CVE-2021-34141 | medium | — | numpy | — | v0.14.22 |
| CVE-2021-41125 | medium | — | scrapy | — | v0.14.22 |
| CVE-2021-41496 | medium | — | numpy | — | v0.14.22 |
| CVE-2021-43818 | medium | — | lxml | — | v0.14.22 |
| CVE-2022-0577 | medium | — | scrapy | — | v0.14.22 |
| CVE-2022-2309 | medium | — | lxml | — | v0.14.22 |
| CVE-2022-30187 | medium | — | azure-storage-blob | 12.19.0,< 13 | v0.14.22 |
| CVE-2023-2800 | medium | — | transformers | — | v0.14.22 |
| CVE-2023-32681 | medium | — | requests | — | v0.14.22 |
| CVE-2023-36464 | medium | — | pypdf2 | 3.0.1 | v0.14.22 |
| CVE-2023-37276 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2023-45803 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2023-47627 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2023-49081 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2023-49082 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2023-5752 | medium | — | pip | — | v0.14.22 |
| CVE-2024-12720 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2024-12910 | medium | — | llama-index | — | v0.14.22 |
| CVE-2024-1968 | medium | — | scrapy | — | v0.14.22 |
| CVE-2024-21503 | medium | — | black | — | v0.14.22 |
| CVE-2024-23829 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-27306 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-2965 | medium | — | langchain | 0.1.4 | v0.14.22 |
| CVE-2024-33664 | medium | — | python-jose | 3.3.0 | v0.14.22 |
| CVE-2024-35195 | medium | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2024-35255 | medium | — | azure-identity | 1.7.1,< 2 | v0.14.22 |
| CVE-2024-3772 | medium | — | pydantic | 2.0,< 3.0 | v0.14.22 |
| CVE-2024-37891 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2024-42367 | medium | — | aiohttp | — | v0.14.22 |
| CVE-2024-46455 | medium | — | unstructured | — | v0.14.22 |
| CVE-2024-47081 | medium | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2024-4890 | medium | — | litellm | — | v0.14.22 |
| CVE-2024-5225 | medium | — | litellm | — | v0.14.22 |
| CVE-2024-52303 | medium | — | aiohttp | — | v0.14.22 |
| CVE-2024-52304 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-56201 | medium | — | jinja2 | 3.1.4 | v0.14.22 |
| CVE-2024-5629 | medium | — | pymongo | 4.6.1 | v0.14.22 |
| CVE-2024-56326 | medium | — | jinja2 | 3.1.4 | v0.14.22 |
| CVE-2024-5710 | medium | — | litellm | — | v0.14.22 |
| CVE-2024-6839 | medium | — | flask-cors | 5.0.1 | v0.14.22 |
| CVE-2024-6844 | medium | — | flask-cors | 5.0.1 | v0.14.22 |
| CVE-2024-6866 | medium | — | flask-cors | 5.0.1 | v0.14.22 |
| CVE-2025-1194 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-2099 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-27516 | medium | — | jinja2 | 3.1.4 | v0.14.22 |
| CVE-2025-3108 | medium | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-3262 | medium | — | transformers | — | v0.14.22 |
| CVE-2025-3263 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-3264 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-3730 | medium | — | torch | 2.3.1 | v0.14.22 |
| CVE-2025-3933 | medium | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-41419 | medium | — | ms-swift | 3.4.0 | v0.14.22 |
| CVE-2025-50181 | medium | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2025-50182 | medium | — | urllib3 | 2.3.0 | v0.14.22 |
| CVE-2025-51464 | medium | — | aim | 3.29.1 | v0.14.22 |
| CVE-2025-5197 | medium | — | transformers | 4.52.4 | v0.14.22 |
| CVE-2025-54121 | medium | — | starlette | 0.27.0 | v0.14.22 |
| CVE-2025-5472 | medium | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-55197 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2025-57804 | medium | — | h2 | 4.2.0 | v0.14.22 |
| CVE-2025-6051 | medium | — | transformers | 4.52.4 | v0.14.22 |
| CVE-2025-61669 | medium | — | jupyter-server | 2.17.0 | v0.14.22 |
| CVE-2025-6208 | medium | — | llama-index-core | 0.12.0 | v0.14.22 |
| CVE-2025-6211 | medium | — | llama-index | — | v0.14.22 |
| CVE-2025-62608 | medium | — | mlx | 0.11.0 | v0.14.22 |
| CVE-2025-62609 | medium | — | mlx | 0.11.0 | v0.14.22 |
| CVE-2025-62707 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2025-62708 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2025-66019 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2025-66034 | medium | — | fonttools | 4.57.0 | v0.14.22 |
| CVE-2025-66221 | medium | — | werkzeug | 3.1.3 | v0.14.22 |
| CVE-2025-6638 | medium | — | transformers | 4.52.4 | v0.14.22 |
| CVE-2025-68146 | medium | — | filelock | 3.18.0 | v0.14.22 |
| CVE-2025-68480 | medium | — | marshmallow | 3.26.0 | v0.14.22 |
| CVE-2025-6921 | medium | — | transformers | 4.52.4 | v0.14.22 |
| CVE-2025-69227 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69228 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69229 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69872 | medium | — | diskcache | 5.6.3 | v0.14.22 |
| CVE-2025-71176 | medium | — | pytest | 7.2.1 | v0.14.22 |
| CVE-2025-8869 | medium | — | pip | — | v0.14.22 |
| CVE-2026-1839 | medium | — | transformers | 4.57.6 | v0.14.22 |
| CVE-2026-21860 | medium | — | werkzeug | 3.1.3 | v0.14.22 |
| CVE-2026-22701 | medium | — | filelock | 3.18.0 | v0.14.22 |
| CVE-2026-22702 | medium | — | virtualenv | 20.32.0 | v0.14.22 |
| CVE-2026-22815 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-24688 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-25645 | medium | — | requests | 2.31.0,< 3 | v0.14.22 |
| CVE-2026-27024 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-27025 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-27026 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-27199 | medium | — | werkzeug | 3.1.3 | v0.14.22 |
| CVE-2026-27888 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-28348 | medium | — | lxml-html-clean | 0.4.2 | v0.14.22 |
| CVE-2026-28350 | medium | — | lxml-html-clean | 0.4.2 | v0.14.22 |
| CVE-2026-28351 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-28684 | medium | — | python-dotenv | 1.0.0,< 2 | v0.14.22 |
| CVE-2026-28804 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-31826 | medium | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-3219 | medium | — | pip | 26.0.1 | v0.14.22 |
| CVE-2026-32889 | medium | — | tinytag | 2.2.0 | v0.14.22 |
| CVE-2026-33123 | medium | — | pypdf | 6.8.0 | v0.14.22 |
| CVE-2026-33230 | medium | — | nltk | 3.9.3 | v0.14.22 |
| CVE-2026-33699 | medium | — | pypdf | 6.8.0 | v0.14.22 |
| CVE-2026-33936 | medium | — | ecdsa | 0.19.0 | v0.14.22 |
| CVE-2026-34450 | medium | — | anthropic | — | v0.14.22 |
| CVE-2026-34452 | medium | — | anthropic | — | v0.14.22 |
| CVE-2026-34515 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34516 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34525 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-39377 | medium | — | nbconvert | 7.17.0 | v0.14.22 |
| CVE-2026-39378 | medium | — | nbconvert | 7.17.0 | v0.14.22 |
| CVE-2026-39892 | medium | — | cryptography | 46.0.6 | v0.14.22 |
| CVE-2026-40087 | medium | — | langchain-core | 1.2.25 | v0.14.22 |
| CVE-2026-40260 | medium | — | pypdf | 6.9.2 | v0.14.22 |
| CVE-2026-40347 | medium | — | python-multipart | 0.0.22 | v0.14.22 |
| CVE-2026-41168 | medium | — | pypdf | 6.9.2 | v0.14.22 |
| CVE-2026-41182 | medium | — | langsmith | 0.7.25 | v0.14.22 |
| CVE-2026-41205 | medium | — | mako | 1.3.10 | v0.14.22 |
| CVE-2026-41312 | medium | — | pypdf | 6.9.2 | v0.14.22 |
| CVE-2026-41313 | medium | — | pypdf | 6.9.2 | v0.14.22 |
| CVE-2026-41314 | medium | — | pypdf | 6.9.2 | v0.14.22 |
| CVE-2026-41425 | medium | — | authlib | 1.6.9 | v0.14.22 |
| CVE-2026-41481 | medium | — | langchain-text-splitters | 1.1.1 | v0.14.22 |
| CVE-2026-42308 | medium | — | pillow | 12.1.1 | v0.14.22 |
| CVE-2026-42309 | medium | — | pillow | 12.1.1 | v0.14.22 |
| CVE-2026-42310 | medium | — | pillow | 12.1.1 | v0.14.22 |
| CVE-2026-44222 | medium | — | vllm | 0.19.0 | v0.14.22 |
| CVE-2026-44223 | medium | — | vllm | 0.19.0 | v0.14.22 |
| CVE-2026-6357 | medium | — | pip | 26.0.1 | v0.14.22 |
| GHSA-23j4-mw76-5v7h | medium | — | scrapy | — | v0.14.22 |
| GHSA-78cv-mqj4-43f7 | medium | — | tornado | 6.5.4 | v0.14.22 |
| GHSA-9x8m-2xpf-crp3 | medium | — | scrapy | — | v0.14.22 |
| GHSA-h4gh-qq45-vh27 | medium | — | cryptography | 43.0.0 | v0.14.22 |
| GHSA-jm3v-qxmh-hxwv | medium | — | scrapy | — | v0.14.22 |
| GHSA-mfjm-vh54-3f96 | medium | — | scrapy | — | v0.14.22 |
| GHSA-pjjw-qhg8-p2p9 | medium | — | aiohttp | 3.7.4 | v0.14.22 |
| GHSA-r54c-2xmf-2cf3 | medium | — | ms-swift | 3.4.0 | v0.14.22 |
| GHSA-rf74-v2fm-23pw | medium | — | nltk | 3.9.3 | v0.14.22 |
| CVE-2021-21330 | low | — | aiohttp | 3.9.1,< 4 | v0.14.22 |
| CVE-2023-47641 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2024-12797 | low | — | cryptography | 43.0.3 | v0.14.22 |
| CVE-2024-34062 | low | — | tqdm | 4.66.1 | v0.14.22 |
| CVE-2024-3568 | low | — | transformers | 4.37.2 | v0.14.22 |
| CVE-2024-53861 | low | — | pyjwt | — | v0.14.22 |
| CVE-2024-8309 | low | — | langchain | 0.1.4 | v0.14.22 |
| CVE-2025-2953 | low | — | torch | 2.3.1 | v0.14.22 |
| CVE-2025-3777 | low | — | transformers | 4.41.2 | v0.14.22 |
| CVE-2025-46656 | low | — | markdownify | 1.2.0,< 2.0.0 | v0.14.22 |
| CVE-2025-47278 | low | — | flask | 3.1.0 | v0.14.22 |
| CVE-2025-50460 | low | — | ms-swift | 3.4.0 | v0.14.22 |
| CVE-2025-5321 | low | — | aim | 3.29.1 | v0.14.22 |
| CVE-2025-53643 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-59842 | low | — | jupyterlab | 4.0.13 | v0.14.22 |
| CVE-2025-66040 | low | — | spotipy | 2.23.0 | v0.14.22 |
| CVE-2025-69224 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69225 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69226 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2025-69230 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-1703 | low | — | pip | — | v0.14.22 |
| CVE-2026-22690 | low | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-22691 | low | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-27205 | low | — | flask | 3.1.0 | v0.14.22 |
| CVE-2026-27448 | low | — | pyopenssl | 25.3.0 | v0.14.22 |
| CVE-2026-27628 | low | — | pypdf | 5.2.0 | v0.14.22 |
| CVE-2026-34073 | low | — | cryptography | 44.0.2 | v0.14.22 |
| CVE-2026-34513 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34514 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34517 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34518 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34519 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-34520 | low | — | aiohttp | 3.7.4 | v0.14.22 |
| CVE-2026-4539 | low | — | pygments | 2.19.2 | v0.14.22 |
| CVE-2026-7141 | low | — | vllm | 0.19.0 | v0.14.22 |
| CVE-2026-7597 | low | — | mem0ai | 1.0.2 | v0.14.22 |
| CVE-2017-8359 | unknown | — | grpcio | 1.60.0,< 2 | v0.14.22 |
| CVE-2018-1000518 | unknown | — | websockets | 15.0.1,< 16 | v0.14.22 |
| CVE-2020-13091 | unknown | — | pandas | — | v0.14.22 |
| CVE-2021-33503 | unknown | — | urllib3 | 1.21.1,< 3 | v0.14.22 |
| CVE-2024-28088 | unknown | — | langchain | 0.1.4 | v0.14.22 |
| CVE-2024-31584 | unknown | — | torch | — | v0.14.22 |
| CVE-2024-45201 | unknown | — | llama-index | — | v0.14.22 |
| CVE-2024-52338 | unknown | — | pyarrow | — | v0.14.22 |
| CVE-2025-6209 | unknown | — | llama-index | — | v0.14.22 |
| MAL-2026-2144 | unknown | — | litellm | — | v0.14.22 |
| PYSEC-2023-183 | unknown | — | opencv-python | — | v0.14.22 |
| PYSEC-2026-2 | unknown | — | litellm | — | v0.14.22 |
Showing 399 of 399