Skip to content
Tools / ocis / Security

Security Deep Dive

ocis

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v8.0.4.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

6 versions tracked
Version Published C H M L KEV Notes
v8.0.4 2026-05-22
Latest
v8.0.3 2026-05-11
v8.0.2 2026-05-08
Patches CVE-2023-44487
v8.0.1 2026-03-11 1 KEV 1
v8.0.0 2026-02-16 1 KEV 1
v7.3.2 2026-02-05 1 KEV 1
— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 10d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
10d median over recent releases Release history
Latest release: 12d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 2d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 12d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 12d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 12d ago
1.1/10 Security Score
5.3/10 Scorecard
Dependency Exposure 56 transitive dependency CVEs found in the latest SBOM. 2 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.00 / 0.5

Max EPSS 0.944

freshness

1.00 / 1.0

2d stale

scorecard

2.12 / 4.0

Score 5.3/10

cve health

0.50 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 63.8/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

2.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

3.6

10%

supply chain risk: 63.78 transitive cves: 2c/20h

Provenance trust

provenance trust

5.3

40%

scorecard score: 5.3 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 2d

Operational risk

operational risk

0.0

10%

kev exposure: detected epss max: 0.944
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 63.8/100
2 Transitive critical CVEs
1 KEV-transitive CVEs
61% Dependency freshness

Scorecard

Scorecard 5.3/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Maintained 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Code-Review 10 all changesets reviewed
Dangerous-Workflow 10 no dangerous workflow patterns detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Fuzzing 0 project is not fuzzed
License 10 license file detected
Binary-Artifacts 9 binaries present in source code
Branch-Protection 4 branch protection is not maximal on development and all release branches
Signed-Releases 0 Project has not signed or included provenance with any releases.
Packaging 10 packaging workflow detected
Security-Policy 0 security policy file not detected
Pinned-Dependencies 6 dependency not pinned by hash detected -- score normalized to 6
SAST 0 SAST tool is not run on all commits -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2023-44487 HIGH 99%ile v8.0.2 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

1916 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

2

High

20

Medium

19

Low

1

Unknown

14

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (54) All (56)
Critical 2 High 20 Medium 19 Low 1 Unknown 14
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2024-45337 critical golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2026-33186 critical google.golang.org/grpc 1.39.0 v8.0.2
CVE-2020-26160 high github.com/dgrijalva/jwt-go 3.2.0+incompatible v8.0.2
CVE-2021-33194 high golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2021-43565 high golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2022-21698 high github.com/prometheus/client_golang 1.10.0 v8.0.2
CVE-2022-27191 high golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2022-27664 high golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2022-41723 high golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2023-39325 high golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2024-24792 high golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2025-22868 high golang.org/x/oauth2 0.0.0-20210402161424-2e8d93401602 v8.0.2
CVE-2025-22869 high golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2025-65637 high github.com/sirupsen/logrus 1.8.1 v8.0.2
CVE-2026-24765 high phpunit/phpunit 9.6,< 10.0 v8.0.2
CVE-2026-27904 high minimatch 3.1.3 v8.0.2
CVE-2026-32284 high github.com/shamaton/msgpack/v2 v2.4.0 v8.0.2
CVE-2026-42264 high axios 1.15.1 v8.0.2
CVE-2026-44728 high @babel/plugin-transform-modules-systemjs 7.28.5 v8.0.2
CVE-2026-6321 high fast-uri 3.1.0 v8.0.2
CVE-2026-6322 high fast-uri 3.1.0 v8.0.2
GHSA-m425-mq94-257g high google.golang.org/grpc 1.39.0 v8.0.2
CVE-2022-29526 medium golang.org/x/sys 0.0.0-20210608053332-aa57babbf139 v8.0.2
CVE-2022-31022 medium github.com/blevesearch/bleve 1.0.9 v8.0.2
CVE-2022-41717 medium golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2022-41727 medium golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2023-29407 medium golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2023-29408 medium golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2023-3978 medium golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2023-44487 medium KEV golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.3
CVE-2023-45288 medium golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2023-48795 medium golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2024-24786 medium google.golang.org/protobuf 1.27.1 v8.0.2
CVE-2025-22870 medium golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2025-22872 medium golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2025-47914 medium golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2025-58181 medium golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2026-33532 medium yaml 1.10.2 v8.0.2
CVE-2026-33809 medium golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2026-41305 medium postcss 8.4.39 v8.0.2
CVE-2026-42044 medium axios 1.15.1 v8.0.2
CVE-2023-36308 low github.com/disintegration/imaging 1.6.2 v8.0.2
CVE-2020-8911 unknown github.com/aws/aws-sdk-go v1.55.8 v8.0.2
CVE-2020-8912 unknown github.com/aws/aws-sdk-go v1.55.8 v8.0.2
CVE-2021-44716 unknown golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2022-30636 unknown golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2024-45338 unknown golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2025-47911 unknown golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2025-47913 unknown golang.org/x/crypto 0.0.0-20201221181555-eec23a3978ad v8.0.2
CVE-2025-58190 unknown golang.org/x/net 0.0.0-20210428140749-89ef3d95e781 v8.0.2
CVE-2025-69725 unknown github.com/go-chi/chi 4.1.2+incompatible v8.0.2
CVE-2026-27141 unknown golang.org/x/net v0.50.0 v8.0.2
CVE-2026-33812 unknown golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2026-33813 unknown golang.org/x/image 0.0.0-20191009234506-e7c1f5e7dbb8 v8.0.2
CVE-2026-33814 unknown golang.org/x/net v0.50.0 v8.0.2
GO-2023-2153 unknown google.golang.org/grpc 1.39.0 v8.0.2

Showing 56 of 56

Beta — feedback welcome: [email protected]