Skip to content
Tools / mediacms / Security

Security Deep Dive

mediacms

Security posture and CVE patch evidence from tracked releases.

Back to Tool

4 critical dependency CVEs affects v8.2.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 0d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
0d median over recent releases Release history
Latest release: 3d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 3d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 3d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 3d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 3d ago
3.8/10 Security Score
Dependency Exposure 155 transitive dependency CVEs found in the latest SBOM. 4 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

2d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 4c/69h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 4c/69h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 2d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
4 Transitive critical CVEs
0 KEV-transitive CVEs
43% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

4136 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

4

High

69

Medium

60

Low

22

Unknown

0

Still affecting latest (137) All (155)
Critical 4 High 69 Medium 60 Low 22
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2022-29078 critical ejs 2.7.4 v7.7.0
CVE-2023-45133 critical babel-traverse 6.26.0 v7.7.0
CVE-2025-64459 critical django 5.2.6 v7.7.0
CVE-2026-33937 critical handlebars 4.7.8 v7.7.0
CVE-2018-18074 high requests v7.7.0
CVE-2021-3803 high nth-check 1.0.2 v7.7.0
CVE-2022-24771 high node-forge 0.10.0 v7.7.0
CVE-2022-24772 high node-forge 0.10.0 v7.7.0
CVE-2022-37620 high html-minifier 4.0.0 v7.7.0
CVE-2022-46175 high json5 0.5.1 v7.7.0
CVE-2024-21536 high http-proxy-middleware 0.19.1 v7.7.0
CVE-2024-29180 high webpack-dev-middleware 3.7.3 v7.7.0
CVE-2024-29415 high ip 1.1.9 v7.7.0
CVE-2024-4068 high braces 2.3.2 v7.7.0
CVE-2024-4367 high pdfjs-dist 3.4.120 v7.7.0
CVE-2024-47068 high rollup 2.79.1 v7.7.0
CVE-2025-12816 high node-forge 0.10.0 v7.7.0
CVE-2025-27152 high axios 0.21.4 v7.7.0
CVE-2025-59057 high react-router 7.6.2 v7.7.0
CVE-2025-59681 high django 5.2.6 v7.7.0
CVE-2025-64458 high django 5.2.6 v7.7.0
CVE-2025-64756 high glob 10.4.5 v7.7.0
CVE-2025-66031 high node-forge 0.10.0 v7.7.0
CVE-2026-1207 high django 5.2.6 v7.7.0
CVE-2026-1287 high django 5.2.6 v7.7.0
CVE-2026-21884 high react-router 7.6.2 v7.7.0
CVE-2026-22029 high react-router 7.6.2 v7.7.0
CVE-2026-23745 high tar 7.4.3 v7.7.0
CVE-2026-23950 high tar 7.4.3 v7.7.0
CVE-2026-24842 high tar 7.4.3 v7.7.0
CVE-2026-25639 high axios 0.21.4 v7.7.0
CVE-2026-25673 high django 5.2.6 v7.7.0
CVE-2026-25990 high pillow 11.1.0 v7.7.0
CVE-2026-26960 high tar 7.4.3 v7.7.0
CVE-2026-26996 high minimatch 5.1.6 v7.7.0
CVE-2026-27606 high rollup 3.29.5 v7.7.0
CVE-2026-27903 high minimatch 5.1.6 v7.7.0
CVE-2026-27904 high minimatch 5.1.6 v7.7.0
CVE-2026-29063 high immutable 5.1.3 v7.7.0
CVE-2026-29074 high svgo 2.8.0 v7.7.0
CVE-2026-29786 high tar 7.4.3 v7.7.0
CVE-2026-31802 high tar 7.4.3 v7.7.0
CVE-2026-32141 high flatted 3.3.3 v7.7.0
CVE-2026-33034 high django 5.2.6 v7.7.0
CVE-2026-33228 high flatted 3.3.3 v7.7.0
CVE-2026-33671 high picomatch 2.3.1 v7.7.0
CVE-2026-33891 high node-forge 0.10.0 v7.7.0
CVE-2026-33894 high node-forge 0.10.0 v7.7.0
CVE-2026-33895 high node-forge 0.10.0 v7.7.0
CVE-2026-33896 high node-forge 0.10.0 v7.7.0
CVE-2026-33938 high handlebars 4.7.8 v7.7.0
CVE-2026-33939 high handlebars 4.7.8 v7.7.0
CVE-2026-33940 high handlebars 4.7.8 v7.7.0
CVE-2026-33941 high handlebars 4.7.8 v7.7.0
CVE-2026-34601 high @xmldom/xmldom 0.8.10 v7.7.0
CVE-2026-3902 high django 5.2.6 v7.7.0
CVE-2026-40192 high pillow 11.1.0 v7.7.0
CVE-2026-41672 high @xmldom/xmldom 0.8.10 v7.7.0
CVE-2026-41673 high @xmldom/xmldom 0.8.10 v7.7.0
CVE-2026-41674 high @xmldom/xmldom 0.8.10 v7.7.0
CVE-2026-41675 high @xmldom/xmldom 0.8.10 v7.7.0
CVE-2026-42033 high axios 0.21.4 v7.7.0
CVE-2026-42035 high axios 0.21.4 v7.7.0
CVE-2026-42043 high axios 0.21.4 v7.7.0
CVE-2026-42264 high axios 1.13.2 v7.7.0
CVE-2026-42311 high pillow 11.1.0 v7.7.0
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.28.5 v7.7.0
CVE-2026-4800 high lodash-es 4.17.21 v7.7.0
CVE-2026-4800 high lodash 4.17.21 v7.7.0
CVE-2026-4867 high path-to-regexp 0.1.12 v7.7.0
CVE-2026-6321 high fast-uri 3.0.6 v7.7.0
CVE-2026-6322 high fast-uri 3.0.6 v7.7.0
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.2 v7.7.0
CVE-2014-1829 medium requests v7.7.0
CVE-2014-1830 medium requests v7.7.0
CVE-2015-2296 medium requests v7.7.0
CVE-2022-0122 medium node-forge 0.10.0 v7.7.0
CVE-2022-24773 medium node-forge 0.10.0 v7.7.0
CVE-2023-32681 medium requests v7.7.0
CVE-2023-45857 medium axios 0.21.4 v7.7.0
CVE-2024-33883 medium ejs 2.7.4 v7.7.0
CVE-2024-35195 medium requests v7.7.0
CVE-2024-4067 medium micromatch 3.1.10 v7.7.0
CVE-2024-47081 medium requests 2.32.3 v7.7.0
CVE-2025-13372 medium django 5.2.6 v7.7.0
CVE-2025-13465 medium lodash 4.17.21 v7.7.0
CVE-2025-13465 medium lodash-es 4.17.21 v7.7.0
CVE-2025-15284 medium qs 6.13.0 v7.7.0
CVE-2025-27789 medium @babel/runtime 7.4.5 v7.7.0
CVE-2025-30359 medium webpack-dev-server 3.11.3 v7.7.0
CVE-2025-30360 medium webpack-dev-server 3.11.3 v7.7.0
CVE-2025-32996 medium http-proxy-middleware 1.3.1 v7.7.0
CVE-2025-32997 medium http-proxy-middleware 1.3.1 v7.7.0
CVE-2025-62522 medium vite 4.5.14 v7.7.0
CVE-2025-62718 medium axios 0.21.4 v7.7.0
CVE-2025-64460 medium django 5.2.6 v7.7.0
CVE-2025-64718 medium js-yaml 4.1.0 v7.7.0
CVE-2025-65430 medium django-allauth 65.4.1 v7.7.0
CVE-2025-65431 medium django-allauth 65.4.1 v7.7.0
CVE-2025-66030 medium node-forge 0.10.0 v7.7.0
CVE-2025-68470 medium react-router 7.6.2 v7.7.0
CVE-2025-69534 medium markdown 3.7 v7.7.0
CVE-2025-69873 medium ajv 6.12.6 v7.7.0
CVE-2026-1312 medium django 5.2.6 v7.7.0
CVE-2026-22030 medium react-router 7.6.2 v7.7.0
CVE-2026-25645 medium requests 2.32.3 v7.7.0
CVE-2026-2739 medium bn.js 5.2.2 v7.7.0
CVE-2026-27982 medium django-allauth 65.4.1 v7.7.0
CVE-2026-2950 medium lodash-es 4.17.21 v7.7.0
CVE-2026-2950 medium lodash 4.17.21 v7.7.0
CVE-2026-33033 medium django 5.2.6 v7.7.0
CVE-2026-33532 medium yaml 1.10.2 v7.7.0
CVE-2026-33672 medium picomatch 2.3.1 v7.7.0
CVE-2026-33750 medium brace-expansion 2.0.2 v7.7.0
CVE-2026-33916 medium handlebars 4.7.8 v7.7.0
CVE-2026-34043 medium serialize-javascript 6.0.2 v7.7.0
CVE-2026-39365 medium vite 4.5.14 v7.7.0
CVE-2026-40175 medium axios 0.21.4 v7.7.0
CVE-2026-41305 medium postcss 8.5.6 v7.7.0
CVE-2026-42034 medium axios 0.21.4 v7.7.0
CVE-2026-42036 medium axios 0.21.4 v7.7.0
CVE-2026-42037 medium axios 1.13.2 v7.7.0
CVE-2026-42038 medium axios 0.21.4 v7.7.0
CVE-2026-42039 medium axios 0.21.4 v7.7.0
CVE-2026-42041 medium axios 0.21.4 v7.7.0
CVE-2026-42042 medium axios 0.21.4 v7.7.0
CVE-2026-42044 medium axios 1.13.2 v7.7.0
CVE-2026-42308 medium pillow 11.1.0 v7.7.0
CVE-2026-42310 medium pillow 11.1.0 v7.7.0
CVE-2026-42338 medium ip-address 9.0.5 v7.7.0
GHSA-67mh-4wv8-2f99 medium esbuild 0.18.20 v7.7.0
GHSA-7rx3-28cr-v5wh medium handlebars 4.7.8 v7.7.0
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.9 v7.7.0
CVE-2025-13473 low django 5.2.6 v7.7.0
CVE-2025-14505 low elliptic 6.6.1 v7.7.0
CVE-2025-14550 low django 5.2.6 v7.7.0
CVE-2025-57352 low min-document 2.19.0 v7.7.0
CVE-2025-58751 low vite 4.5.14 v7.7.0
CVE-2025-58752 low vite 4.5.14 v7.7.0
CVE-2025-5889 low brace-expansion 2.0.1 v7.7.0
CVE-2025-59682 low django 5.2.6 v7.7.0
CVE-2025-68157 low webpack 5.103.0 v7.7.0
CVE-2025-68458 low webpack 5.103.0 v7.7.0
CVE-2025-7339 low on-headers 1.0.2 v7.7.0
CVE-2026-1285 low django 5.2.6 v7.7.0
CVE-2026-2391 low qs 6.13.0 v7.7.0
CVE-2026-24001 low diff 5.2.0 v7.7.0
CVE-2026-25674 low django 5.2.6 v7.7.0
CVE-2026-42040 low axios 0.21.4 v7.7.0
CVE-2026-4277 low django 5.2.6 v7.7.0
CVE-2026-4292 low django 5.2.6 v7.7.0
GHSA-442j-39wm-28r2 low handlebars 4.7.8 v7.7.0
GHSA-5rrq-pxf6-6jx5 low node-forge 0.10.0 v7.7.0
GHSA-gf8q-jrpm-jvxq low node-forge 0.10.0 v7.7.0
GHSA-xffm-g5w8-qvg7 low @eslint/plugin-kit 0.3.2 v7.7.0

Showing 155 of 155

Beta — feedback welcome: [email protected]