Skip to content
Tools / NewsBlur / Security

Security Deep Dive

NewsBlur

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v0.1.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 11d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence: weekly Present
11d median over recent releases Release history
Latest release: 2mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 15d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 2mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 2mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 2mo ago
3.2/10 Security Score
3.5/10 Scorecard
Dependency Exposure 271 transitive dependency CVEs found in the latest SBOM. 25 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

15d stale

scorecard

1.40 / 4.0

Score 3.5/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 25c/115h

Provenance trust

provenance trust

3.5

40%

scorecard score: 3.5 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 15d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
25 Transitive critical CVEs
1 KEV-transitive CVEs
61% Dependency freshness

Scorecard

Scorecard 3.5/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 0 Found 0/30 approved changesets -- score normalized to 0
Maintained 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow 10 no dangerous workflow patterns detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Security-Policy 0 security policy file not detected
License 10 license file detected
SAST 0 no SAST tool detected
Packaging 10 packaging workflow detected
Signed-Releases 0 Project has not signed or included provenance with any releases.
Branch-Protection 0 branch protection not enabled on development/release branches
Binary-Artifacts 6 binaries present in source code
Fuzzing 0 project is not fuzzed
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

1165 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

25

High

115

Medium

89

Low

27

Unknown

15

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (191) All (271)
Critical 25 High 115 Medium 89 Low 27 Unknown 15
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2012-3442 critical django 3.1,< 3.2
CVE-2014-0472 critical django 3.1,< 3.2
CVE-2018-20060 critical urllib3 1.26.0,< 2
CVE-2019-19844 critical django 3.1,< 3.2
CVE-2020-14343 critical pyyaml 5.3.1
CVE-2020-7471 critical django 3.1,< 3.2
CVE-2021-25289 critical pillow 8.0.1
CVE-2021-34552 critical pillow 8.0.1
CVE-2021-35042 critical django 3.1.10
CVE-2021-3918 critical json-schema 0.2.3
CVE-2021-44906 critical minimist 1.2.0
CVE-2022-22817 critical pillow 8.0.1
CVE-2022-37601 critical loader-utils 1.2.3
CVE-2023-41419 critical gevent 22.10.2
CVE-2023-45133 critical @babel/traverse 7.5.0
CVE-2023-45311 critical fsevents 1.2.9
CVE-2023-50447 critical pillow 8.0.1
CVE-2024-36039 critical pymysql 0.10.1
CVE-2025-64459 critical django 3.1.10
CVE-2025-6545 critical pbkdf2 3.0.17
CVE-2025-6547 critical pbkdf2 3.0.17
CVE-2025-7783 critical form-data 2.3.3
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.0
CVE-2010-4534 high django 3.1,< 3.2
CVE-2011-4137 high django 3.1,< 3.2
CVE-2011-4138 high django 3.1,< 3.2
CVE-2011-4139 high django 3.1,< 3.2
CVE-2011-4140 high django 3.1,< 3.2
CVE-2012-2921 high feedparser 6,< 7
CVE-2012-3443 high django 3.1,< 3.2
CVE-2012-3444 high django 3.1,< 3.2
CVE-2014-0473 high django 3.1,< 3.2
CVE-2014-0474 high django 3.1,< 3.2
CVE-2014-0480 high django 3.1,< 3.2
CVE-2014-0481 high django 3.1,< 3.2
CVE-2015-0221 high django 3.1,< 3.2
CVE-2015-5143 high django 3.1,< 3.2
CVE-2015-5144 high django 3.1,< 3.2
CVE-2016-7401 high django 3.1,< 3.2
CVE-2018-1000656 high flask 2,< 3
CVE-2018-18074 high requests 2.25.0,< 3
CVE-2019-1010083 high flask 2,< 3
CVE-2019-11324 high urllib3 1.26.0,< 2
CVE-2019-14322 high werkzeug 2,< 3
CVE-2019-14806 high werkzeug 2,< 3
CVE-2019-20149 high kind-of 6.0.2
CVE-2020-13822 high elliptic 6.5.0
CVE-2020-35653 high pillow 8.0.1
CVE-2020-35654 high pillow 8.0.1
CVE-2020-7660 high serialize-javascript 1.7.0
CVE-2020-7774 high y18n 4.0.0
CVE-2020-7788 high ini 1.3.5
CVE-2020-8203 high lodash.pick 4.4.0
CVE-2020-8203 high lodash 4.17.14
CVE-2021-23337 high lodash 4.17.14
CVE-2021-23437 high pillow 8.0.1
CVE-2021-23727 high celery 4.4.7
CVE-2021-25287 high pillow 8.0.1
CVE-2021-25288 high pillow 8.0.1
CVE-2021-25290 high pillow 8.0.1
CVE-2021-25291 high pillow 8.0.1
CVE-2021-25293 high pillow 8.0.1
CVE-2021-27290 high ssri 6.0.1
CVE-2021-27921 high pillow 8.0.1
CVE-2021-27922 high pillow 8.0.1
CVE-2021-27923 high pillow 8.0.1
CVE-2021-28675 high pillow 8.0.1
CVE-2021-28676 high pillow 8.0.1
CVE-2021-28677 high pillow 8.0.1
CVE-2021-32803 high tar 4.4.8
CVE-2021-32804 high tar 4.4.8
CVE-2021-32839 high sqlparse 0.4.1
CVE-2021-33571 high django 3.1.10
CVE-2021-37701 high tar 4.4.8
CVE-2021-37712 high tar 4.4.8
CVE-2021-37713 high tar 4.4.8
CVE-2021-3803 high nth-check 1.0.2
CVE-2021-3807 high ansi-regex 4.1.0
CVE-2021-43138 high async 3.1.0
CVE-2022-24303 high pillow 8.0.1
CVE-2022-24434 high dicer 0.3.0
CVE-2022-24785 high moment 2.29.1
CVE-2022-24999 high qs 6.5.2
CVE-2022-25858 high terser 4.1.2
CVE-2022-25883 high semver 6.2.0
CVE-2022-31129 high moment 2.29.1
CVE-2022-3517 high minimatch 3.0.4
CVE-2022-36359 high django 3.1.10
CVE-2022-37599 high loader-utils 1.2.3
CVE-2022-37603 high loader-utils 1.2.3
CVE-2022-38900 high decode-uri-component 0.2.0
CVE-2022-40899 high future 0.18.2
CVE-2022-45198 high pillow 8.0.1
CVE-2022-46175 high json5 1.0.1
CVE-2023-0286 high cryptography 3.4.7
CVE-2023-25577 high werkzeug 2,< 3
CVE-2023-28117 high sentry-sdk
CVE-2023-30861 high flask 2,< 3
CVE-2023-37920 high certifi 2020.12.5
CVE-2023-43804 high urllib3 1.26.0,< 2
CVE-2023-44271 high pillow 8.0.1
CVE-2023-46234 high browserify-sign 4.0.4
CVE-2023-4863 high KEV pillow 8.0.1
CVE-2023-50782 high cryptography 3.4.7
CVE-2024-1135 high gunicorn 21.2.0
CVE-2024-21538 high cross-spawn 6.0.5
CVE-2024-28219 high pillow 8.0.1
CVE-2024-34069 high werkzeug 2,< 3
CVE-2024-37890 high ws 7.5.5
CVE-2024-4068 high braces 2.3.2
CVE-2024-4340 high sqlparse 0.4.1
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.19.0
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2024-53899 high virtualenv 20.4.6
CVE-2024-6827 high gunicorn 21.2.0
CVE-2025-57833 high django 3.1.10
CVE-2025-64458 high django 3.1.10
CVE-2026-23745 high tar 4.4.8
CVE-2026-23950 high tar 4.4.8
CVE-2026-24842 high tar 4.4.8
CVE-2026-26007 high cryptography 3.4.7
CVE-2026-26960 high tar 4.4.8
CVE-2026-26996 high minimatch 3.0.4
CVE-2026-27903 high minimatch 3.0.4
CVE-2026-27904 high minimatch 3.0.4
CVE-2026-29786 high tar 4.4.8
CVE-2026-30922 high pyasn1 0.4.8
CVE-2026-31802 high tar 4.4.8
CVE-2026-32274 high black 23.1.0
CVE-2026-33151 high socket.io-parser 4.2.4
CVE-2026-35611 high addressable 2.8.7
CVE-2026-41066 high lxml 5.1.0
CVE-2026-42561 high python-multipart 0.0.22
CVE-2026-4800 high lodash 4.17.14
CVE-2026-4867 high path-to-regexp 0.1.7
GHSA-5c6j-r48x-rmvq high serialize-javascript 1.7.0
GHSA-6chw-6frg-f759 high acorn 6.2.0
CVE-2009-5065 medium feedparser 6,< 7
CVE-2010-4535 medium django 3.1,< 3.2
CVE-2011-4136 medium django 3.1,< 3.2
CVE-2013-2132 medium pymongo 3,< 4
CVE-2014-0482 medium django 3.1,< 3.2
CVE-2014-0483 medium django 3.1,< 3.2
CVE-2014-1829 medium requests 2.25.0,< 3
CVE-2014-1830 medium requests 2.25.0,< 3
CVE-2015-0219 medium django 3.1,< 3.2
CVE-2015-0220 medium django 3.1,< 3.2
CVE-2015-2241 medium django 3.1,< 3.2
CVE-2015-2317 medium django 3.1,< 3.2
CVE-2016-10516 medium werkzeug 2,< 3
CVE-2016-2512 medium django 3.1,< 3.2
CVE-2016-6186 medium django 3.1,< 3.2
CVE-2018-25091 medium urllib3 1.26.0,< 2
CVE-2019-11236 medium urllib3 1.26.0,< 2
CVE-2019-16769 medium serialize-javascript 1.7.0
CVE-2020-15366 medium ajv 6.10.1
CVE-2020-26137 medium urllib3 1.26.0,< 2
CVE-2020-28498 medium elliptic 6.5.0
CVE-2020-28500 medium lodash 4.17.14
CVE-2020-28724 medium werkzeug 2,< 3
CVE-2020-35655 medium pillow 8.0.1
CVE-2020-7598 medium minimist 1.2.0
CVE-2020-7608 medium yargs-parser 13.1.1
CVE-2021-23343 medium path-parse 1.0.6
CVE-2021-23362 medium hosted-git-info 2.7.1
CVE-2021-23980 medium bleach 3.2.1
CVE-2021-25292 medium pillow 8.0.1
CVE-2021-28678 medium pillow 8.0.1
CVE-2021-33203 medium django 3.1.10
CVE-2021-44420 medium django 3.1.10
CVE-2022-22815 medium pillow 8.0.1
CVE-2022-22816 medium pillow 8.0.1
CVE-2022-23491 medium certifi 2020.12.5
CVE-2023-23931 medium cryptography 3.4.7
CVE-2023-26136 medium tough-cookie 2.4.3
CVE-2023-28155 medium request 2.88.0
CVE-2023-29483 medium dnspython 2.0.0
CVE-2023-30608 medium sqlparse 0.4.1
CVE-2023-32681 medium requests 2.25.0
CVE-2023-45803 medium urllib3 1.26.0,< 2
CVE-2023-46136 medium werkzeug 2,< 3
CVE-2023-49083 medium cryptography 3.4.7
CVE-2024-0727 medium cryptography 3.4.7
CVE-2024-21503 medium black 23.1.0
CVE-2024-28863 medium tar 4.4.8
CVE-2024-29041 medium express 4.17.1
CVE-2024-34064 medium jinja2 3.1.3
CVE-2024-35195 medium requests 2.25.0,< 3
CVE-2024-3651 medium idna 2.10
CVE-2024-37891 medium urllib3 1.26.0,< 2
CVE-2024-4067 medium micromatch 3.1.10
CVE-2024-45231 medium django 3.1.10
CVE-2024-47081 medium requests 2.25.0,< 3
CVE-2024-49766 medium werkzeug 2,< 3
CVE-2024-49767 medium werkzeug 2,< 3
CVE-2024-56201 medium jinja2 3.1.3
CVE-2024-5629 medium pymongo 3,< 4
CVE-2024-56326 medium jinja2 3.1.3
CVE-2025-13465 medium lodash 4.17.14
CVE-2025-15284 medium qs 6.5.2
CVE-2025-27516 medium jinja2 3.1.3
CVE-2025-27789 medium @babel/runtime 7.5.4
CVE-2025-27789 medium @babel/runtime-corejs2 7.15.4
CVE-2025-48432 medium django 3.1.10
CVE-2025-50181 medium urllib3 1.26.0,< 2
CVE-2025-66221 medium werkzeug 2,< 3
CVE-2025-68146 medium filelock 3.0.12
CVE-2025-69873 medium ajv 6.10.1
CVE-2025-71176 medium pytest 9.0.2
CVE-2026-21860 medium werkzeug 2,< 3
CVE-2026-22701 medium filelock 3.0.12
CVE-2026-22702 medium virtualenv 20.4.6
CVE-2026-25645 medium requests 2.25.0,< 3
CVE-2026-27199 medium werkzeug 2,< 3
CVE-2026-2739 medium bn.js 4.11.8
CVE-2026-2950 medium lodash 4.17.14
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 1.7.0
CVE-2026-39892 medium cryptography 46.0.5
CVE-2026-40347 medium python-multipart 0.0.22
CVE-2026-41425 medium authlib 1.6.9
CVE-2026-42308 medium pillow 8.0.1
CVE-2026-42310 medium pillow 8.0.1
GHSA-27jp-wm6q-gp25 medium sqlparse 0.4.1
GHSA-jgpv-4h4c-xhw3 medium pillow 8.0.1
GHSA-v78c-4p63-2j6c medium moment-timezone 0.5.33
CVE-2016-2513 low django 3.1,< 3.2
CVE-2017-16137 low debug 4.1.1
CVE-2023-23934 low werkzeug 2,< 3
CVE-2023-33185 low django-ses 1.0.3
CVE-2024-40647 low sentry-sdk 1.44.1
CVE-2024-42459 low elliptic 6.5.0
CVE-2024-42460 low elliptic 6.5.0
CVE-2024-42461 low elliptic 6.5.0
CVE-2024-43796 low express 4.17.1
CVE-2024-43799 low send 0.17.1
CVE-2024-43800 low serve-static 1.14.1
CVE-2024-47764 low cookie 0.4.0
CVE-2024-48948 low elliptic 6.5.0
CVE-2024-48949 low elliptic 6.5.0
CVE-2025-14505 low elliptic 6.5.0
CVE-2025-54798 low tmp 0.0.33
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2026-2391 low qs 6.10.1
CVE-2026-27205 low flask 3.0.2
CVE-2026-27448 low pyopenssl 20.0.1
CVE-2026-34073 low cryptography 46.0.5
CVE-2026-4539 low pygments 2.19.2
GHSA-4fx9-vc88-q2xc low pillow 8.0.1
GHSA-56x4-j7p9-fcf9 low moment-timezone 0.5.33
GHSA-5cpq-8wj7-hf2v low cryptography 3.4.7
GHSA-jm77-qphf-c4w8 low cryptography 3.4.7
GHSA-v8gr-m533-ghj9 low cryptography 3.4.7
CVE-2007-5712 unknown django 3.1,< 3.2
CVE-2008-2302 unknown django 3.1,< 3.2
CVE-2008-3909 unknown django 3.1,< 3.2
CVE-2009-2659 unknown django 3.1,< 3.2
CVE-2011-1156 unknown feedparser 6,< 7
CVE-2011-1157 unknown feedparser 6,< 7
CVE-2011-1158 unknown feedparser 6,< 7
CVE-2015-0222 unknown django 3.1,< 3.2
CVE-2015-8213 unknown django 3.1,< 3.2
CVE-2016-9014 unknown django 3.1,< 3.2
CVE-2021-33503 unknown urllib3 1.26.0,< 2
CVE-2022-29361 unknown werkzeug 2,< 3
CVE-2022-42969 unknown py 1.10.0
MAL-2023-462 unknown fsevents 1.2.9
PYSEC-2023-175 unknown pillow 8.0.1

Showing 271 of 271

Beta — feedback welcome: [email protected]