Skip to content
Tools / NewsBlur / Security

Security Deep Dive

NewsBlur

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v0.1.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 11d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence: weekly Present
11d median over recent releases Release history
Latest release: 2mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 15d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 2mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 2mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 2mo ago
3.2/10 Security Score
3.5/10 Scorecard
Dependency Exposure 191 transitive dependency CVEs found in the latest SBOM. 20 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

15d stale

scorecard

1.40 / 4.0

Score 3.5/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 25c/115h

Provenance trust

provenance trust

3.5

40%

scorecard score: 3.5 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 15d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
20 Transitive critical CVEs
1 KEV-transitive CVEs
61% Dependency freshness

Scorecard

Scorecard 3.5/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 0 Found 0/30 approved changesets -- score normalized to 0
Maintained 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow 10 no dangerous workflow patterns detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Security-Policy 0 security policy file not detected
License 10 license file detected
SAST 0 no SAST tool detected
Packaging 10 packaging workflow detected
Signed-Releases 0 Project has not signed or included provenance with any releases.
Branch-Protection 0 branch protection not enabled on development/release branches
Binary-Artifacts 6 binaries present in source code
Fuzzing 0 project is not fuzzed
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

1165 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

20

High

87

Medium

56

Low

25

Unknown

3

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (191) All (271)
Critical 20 High 87 Medium 56 Low 25 Unknown 3
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2020-14343 critical pyyaml 5.3.1
CVE-2021-25289 critical pillow 8.0.1
CVE-2021-34552 critical pillow 8.0.1
CVE-2021-35042 critical django 3.1.10
CVE-2021-3918 critical json-schema 0.2.3
CVE-2021-44906 critical minimist 1.2.0
CVE-2022-22817 critical pillow 8.0.1
CVE-2022-37601 critical loader-utils 1.2.3
CVE-2023-41419 critical gevent 22.10.2
CVE-2023-45133 critical @babel/traverse 7.5.0
CVE-2023-45311 critical fsevents 1.2.9
CVE-2023-50447 critical pillow 8.0.1
CVE-2024-36039 critical pymysql 0.10.1
CVE-2025-64459 critical django 3.1.10
CVE-2025-6545 critical pbkdf2 3.0.17
CVE-2025-6547 critical pbkdf2 3.0.17
CVE-2025-7783 critical form-data 2.3.3
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.0
CVE-2019-20149 high kind-of 6.0.2
CVE-2020-13822 high elliptic 6.5.0
CVE-2020-35653 high pillow 8.0.1
CVE-2020-35654 high pillow 8.0.1
CVE-2020-7660 high serialize-javascript 1.7.0
CVE-2020-7774 high y18n 4.0.0
CVE-2020-7788 high ini 1.3.5
CVE-2020-8203 high lodash.pick 4.4.0
CVE-2020-8203 high lodash 4.17.14
CVE-2021-23337 high lodash 4.17.14
CVE-2021-23437 high pillow 8.0.1
CVE-2021-23727 high celery 4.4.7
CVE-2021-25287 high pillow 8.0.1
CVE-2021-25288 high pillow 8.0.1
CVE-2021-25290 high pillow 8.0.1
CVE-2021-25291 high pillow 8.0.1
CVE-2021-25293 high pillow 8.0.1
CVE-2021-27290 high ssri 6.0.1
CVE-2021-27921 high pillow 8.0.1
CVE-2021-27922 high pillow 8.0.1
CVE-2021-27923 high pillow 8.0.1
CVE-2021-28675 high pillow 8.0.1
CVE-2021-28676 high pillow 8.0.1
CVE-2021-28677 high pillow 8.0.1
CVE-2021-32803 high tar 4.4.8
CVE-2021-32804 high tar 4.4.8
CVE-2021-32839 high sqlparse 0.4.1
CVE-2021-33571 high django 3.1.10
CVE-2021-37701 high tar 4.4.8
CVE-2021-37712 high tar 4.4.8
CVE-2021-37713 high tar 4.4.8
CVE-2021-3803 high nth-check 1.0.2
CVE-2021-3807 high ansi-regex 4.1.0
CVE-2021-43138 high async 3.1.0
CVE-2022-24303 high pillow 8.0.1
CVE-2022-24434 high dicer 0.3.0
CVE-2022-24785 high moment 2.29.1
CVE-2022-24999 high qs 6.5.2
CVE-2022-25858 high terser 4.1.2
CVE-2022-25883 high semver 6.2.0
CVE-2022-31129 high moment 2.29.1
CVE-2022-3517 high minimatch 3.0.4
CVE-2022-36359 high django 3.1.10
CVE-2022-37599 high loader-utils 1.2.3
CVE-2022-37603 high loader-utils 1.2.3
CVE-2022-38900 high decode-uri-component 0.2.0
CVE-2022-40899 high future 0.18.2
CVE-2022-45198 high pillow 8.0.1
CVE-2022-46175 high json5 1.0.1
CVE-2023-0286 high cryptography 3.4.7
CVE-2023-37920 high certifi 2020.12.5
CVE-2023-44271 high pillow 8.0.1
CVE-2023-46234 high browserify-sign 4.0.4
CVE-2023-4863 high KEV pillow 8.0.1
CVE-2023-50782 high cryptography 3.4.7
CVE-2024-1135 high gunicorn 21.2.0
CVE-2024-21538 high cross-spawn 6.0.5
CVE-2024-28219 high pillow 8.0.1
CVE-2024-37890 high ws 7.5.5
CVE-2024-4068 high braces 2.3.2
CVE-2024-4340 high sqlparse 0.4.1
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.19.0
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2024-53899 high virtualenv 20.4.6
CVE-2024-6827 high gunicorn 21.2.0
CVE-2025-57833 high django 3.1.10
CVE-2025-64458 high django 3.1.10
CVE-2026-23745 high tar 4.4.8
CVE-2026-23950 high tar 4.4.8
CVE-2026-24842 high tar 4.4.8
CVE-2026-26007 high cryptography 3.4.7
CVE-2026-26960 high tar 4.4.8
CVE-2026-26996 high minimatch 3.0.4
CVE-2026-27903 high minimatch 3.0.4
CVE-2026-27904 high minimatch 3.0.4
CVE-2026-29786 high tar 4.4.8
CVE-2026-30922 high pyasn1 0.4.8
CVE-2026-31802 high tar 4.4.8
CVE-2026-33151 high socket.io-parser 4.2.4
CVE-2026-35611 high addressable 2.8.7
CVE-2026-41066 high lxml 5.1.0
CVE-2026-42561 high python-multipart 0.0.22
CVE-2026-4800 high lodash 4.17.14
CVE-2026-4867 high path-to-regexp 0.1.7
GHSA-5c6j-r48x-rmvq high serialize-javascript 1.7.0
GHSA-6chw-6frg-f759 high acorn 6.2.0
CVE-2019-16769 medium serialize-javascript 1.7.0
CVE-2020-15366 medium ajv 6.10.1
CVE-2020-28498 medium elliptic 6.5.0
CVE-2020-28500 medium lodash 4.17.14
CVE-2020-35655 medium pillow 8.0.1
CVE-2020-7598 medium minimist 1.2.0
CVE-2020-7608 medium yargs-parser 13.1.1
CVE-2021-23343 medium path-parse 1.0.6
CVE-2021-23362 medium hosted-git-info 2.7.1
CVE-2021-23980 medium bleach 3.2.1
CVE-2021-25292 medium pillow 8.0.1
CVE-2021-28678 medium pillow 8.0.1
CVE-2021-33203 medium django 3.1.10
CVE-2021-44420 medium django 3.1.10
CVE-2022-22815 medium pillow 8.0.1
CVE-2022-22816 medium pillow 8.0.1
CVE-2022-23491 medium certifi 2020.12.5
CVE-2023-23931 medium cryptography 3.4.7
CVE-2023-26136 medium tough-cookie 2.4.3
CVE-2023-28155 medium request 2.88.0
CVE-2023-29483 medium dnspython 2.0.0
CVE-2023-30608 medium sqlparse 0.4.1
CVE-2023-32681 medium requests 2.25.0
CVE-2023-49083 medium cryptography 3.4.7
CVE-2024-0727 medium cryptography 3.4.7
CVE-2024-28863 medium tar 4.4.8
CVE-2024-29041 medium express 4.17.1
CVE-2024-34064 medium jinja2 3.1.3
CVE-2024-3651 medium idna 2.10
CVE-2024-4067 medium micromatch 3.1.10
CVE-2024-45231 medium django 3.1.10
CVE-2024-56201 medium jinja2 3.1.3
CVE-2024-56326 medium jinja2 3.1.3
CVE-2025-13465 medium lodash 4.17.14
CVE-2025-15284 medium qs 6.5.2
CVE-2025-27516 medium jinja2 3.1.3
CVE-2025-27789 medium @babel/runtime 7.5.4
CVE-2025-27789 medium @babel/runtime-corejs2 7.15.4
CVE-2025-48432 medium django 3.1.10
CVE-2025-68146 medium filelock 3.0.12
CVE-2025-69873 medium ajv 6.10.1
CVE-2025-71176 medium pytest 9.0.2
CVE-2026-22701 medium filelock 3.0.12
CVE-2026-22702 medium virtualenv 20.4.6
CVE-2026-2739 medium bn.js 4.11.8
CVE-2026-2950 medium lodash 4.17.14
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 1.7.0
CVE-2026-39892 medium cryptography 46.0.5
CVE-2026-40347 medium python-multipart 0.0.22
CVE-2026-41425 medium authlib 1.6.9
CVE-2026-42308 medium pillow 8.0.1
CVE-2026-42310 medium pillow 8.0.1
GHSA-27jp-wm6q-gp25 medium sqlparse 0.4.1
GHSA-jgpv-4h4c-xhw3 medium pillow 8.0.1
GHSA-v78c-4p63-2j6c medium moment-timezone 0.5.33
CVE-2017-16137 low debug 4.1.1
CVE-2023-33185 low django-ses 1.0.3
CVE-2024-40647 low sentry-sdk 1.44.1
CVE-2024-42459 low elliptic 6.5.0
CVE-2024-42460 low elliptic 6.5.0
CVE-2024-42461 low elliptic 6.5.0
CVE-2024-43796 low express 4.17.1
CVE-2024-43799 low send 0.17.1
CVE-2024-43800 low serve-static 1.14.1
CVE-2024-47764 low cookie 0.4.0
CVE-2024-48948 low elliptic 6.5.0
CVE-2024-48949 low elliptic 6.5.0
CVE-2025-14505 low elliptic 6.5.0
CVE-2025-54798 low tmp 0.0.33
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2026-2391 low qs 6.10.1
CVE-2026-27205 low flask 3.0.2
CVE-2026-27448 low pyopenssl 20.0.1
CVE-2026-34073 low cryptography 46.0.5
CVE-2026-4539 low pygments 2.19.2
GHSA-4fx9-vc88-q2xc low pillow 8.0.1
GHSA-56x4-j7p9-fcf9 low moment-timezone 0.5.33
GHSA-5cpq-8wj7-hf2v low cryptography 3.4.7
GHSA-jm77-qphf-c4w8 low cryptography 3.4.7
GHSA-v8gr-m533-ghj9 low cryptography 3.4.7
CVE-2022-42969 unknown py 1.10.0
MAL-2023-462 unknown fsevents 1.2.9
PYSEC-2023-175 unknown pillow 8.0.1

Showing 191 of 271

Beta — feedback welcome: [email protected]