Skip to content
Tools / onedev / Security

Security Deep Dive

onedev

Security posture and CVE patch evidence from tracked releases.

Back to Tool

2 actively-exploited dependency CVEs affects v15.1.2.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

20 versions tracked
Version Published C H M L KEV Notes
v15.1.2 2026-06-02
Latest
v15.1.1 2026-06-02
v15.1.0 2026-06-02
v15.0.8 2026-05-21
v15.0.7 2026-05-10
v15.0.6 2026-05-07
Patches CVE-2016-4437 Patches CVE-2021-39144
v15.0.5 2026-05-01 1 1 KEV 2
v15.0.4 2026-05-01 1 1 KEV 2
v15.0.3 2026-04-30 1 1 KEV 2
v15.0.2 2026-04-28 1 1 KEV 2
v15.0.1 2026-04-27 1 1 KEV 2
v15.0.0 2026-04-25 1 1 KEV 2
v14.1.9 2026-03-15 1 1 KEV 2
v14.1.8 2026-03-04 1 1 KEV 2
v14.1.7 2026-02-25 1 1 KEV 2
v14.1.6 2026-02-19 1 1 KEV 2
v11.1.6 2026-02-19 1 1 KEV 2
v14.1.5 2026-02-14 1 1 KEV 2
v14.1.4 2026-02-05 1 1 KEV 2
v14.1.3 2026-02-03 1 1 KEV 2
— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 2d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
2d median over recent releases Release history
Latest release: 1d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 2d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 1d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 1d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 1d ago
0.0/10 Security Score
2.5/10 Scorecard
Pending CVE Patch Speed
Open CVEs Open CVEs detected for latest version.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.00 / 0.5

Max EPSS 0.943

freshness

1.00 / 1.0

1d stale

scorecard

1.00 / 4.0

Score 2.5/10

cve health

0.00 / 2.5

Open CVEs detected

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: open cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 25c/72h

Provenance trust

provenance trust

2.5

40%

scorecard score: 2.5 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 1d

Operational risk

operational risk

0.0

10%

kev exposure: detected epss max: 0.943
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
25 Transitive critical CVEs
2 KEV-transitive CVEs
100% Dependency freshness

Scorecard

Scorecard 2.5/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 0 Found 0/30 approved changesets -- score normalized to 0
Maintained 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging -1 packaging workflow not detected
Token-Permissions -1 No tokens found
Dangerous-Workflow -1 no workflows found
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Security-Policy 0 security policy file not detected
SAST 0 no SAST tool detected
License 10 license file detected
Binary-Artifacts 5 binaries present in source code
Signed-Releases -1 no releases found
Branch-Protection 0 branch protection not enabled on development/release branches
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0
Fuzzing 0 project is not fuzzed

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
2
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2016-4437 CRITICAL 99%ile v15.0.6 KEV
CVE-2021-39144 HIGH 99%ile v15.0.6 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

269 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

25

High

72

Medium

79

Low

9

Unknown

0

2 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (5) All (185)
Critical 25 High 72 Medium 79 Low 9
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2013-4366 critical org.apache.httpcomponents:httpclient v15.0.6
CVE-2013-7285 critical com.thoughtworks.xstream:xstream v15.0.6
CVE-2016-1000031 critical commons-fileupload:commons-fileupload v15.0.6
CVE-2016-4437 critical KEV org.apache.shiro:shiro-core v15.0.7
CVE-2016-4800 critical org.eclipse.jetty:jetty-server v15.0.6
CVE-2016-6809 critical org.apache.tika:tika-core v15.0.6
CVE-2017-7657 critical org.eclipse.jetty:jetty-server v15.0.6
CVE-2017-7658 critical org.eclipse.jetty:jetty-server v15.0.6
CVE-2019-10173 critical com.thoughtworks.xstream:xstream v15.0.6
CVE-2019-13990 critical org.quartz-scheduler:quartz v15.0.6
CVE-2019-17638 critical org.eclipse.jetty:jetty-server v15.0.6
CVE-2020-10683 critical org.dom4j:dom4j v15.0.6
CVE-2020-11989 critical org.apache.shiro:shiro-core v15.0.6
CVE-2020-17523 critical org.apache.shiro:shiro-web v15.0.6
CVE-2020-1957 critical org.apache.shiro:shiro-core v15.0.6
CVE-2021-41303 critical org.apache.shiro:shiro-core v15.0.6
CVE-2022-0265 critical com.hazelcast:hazelcast v15.0.6
CVE-2022-32532 critical org.apache.shiro:shiro-core v15.0.6
CVE-2022-36437 critical com.hazelcast:hazelcast v15.0.6
CVE-2022-40664 critical org.apache.shiro:shiro-core v15.0.6
CVE-2022-41853 critical org.hsqldb:hsqldb v15.0.6
CVE-2022-45047 critical org.apache.sshd:sshd-core v15.0.6
CVE-2023-34478 critical org.apache.shiro:shiro-web v15.0.6
CVE-2025-66516 critical org.apache.tika:tika-core v15.0.6
GHSA-v57x-gxfj-484q critical com.hazelcast:hazelcast v15.0.6
CVE-2012-6153 high org.apache.httpcomponents:httpclient v15.0.6
CVE-2013-2186 high commons-fileupload:commons-fileupload v15.0.6
CVE-2014-0050 high commons-fileupload:commons-fileupload v15.0.6
CVE-2014-3526 high org.apache.wicket:wicket-core v15.0.6
CVE-2014-7808 high org.apache.wicket:wicket-core v15.0.6
CVE-2015-2080 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2016-10750 high com.hazelcast:hazelcast v15.0.6
CVE-2016-3092 high commons-fileupload:commons-fileupload v15.0.6
CVE-2016-3674 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2016-4434 high org.apache.tika:tika-core v15.0.6
CVE-2016-6802 high org.apache.shiro:shiro-web v15.0.6
CVE-2016-6806 high org.apache.wicket:wicket-core v15.0.6
CVE-2017-18640 high org.yaml:snakeyaml v15.0.6
CVE-2017-7656 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2017-7957 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2017-9735 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2018-1000632 high org.dom4j:dom4j v15.0.6
CVE-2018-11761 high org.apache.tika:tika-core v15.0.6
CVE-2018-11796 high org.apache.tika:tika-core v15.0.6
CVE-2018-12538 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2018-12545 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2018-1335 high org.apache.tika:tika-core v15.0.6
CVE-2019-10088 high org.apache.tika:tika-core v15.0.6
CVE-2019-10094 high org.apache.tika:tika-core v15.0.6
CVE-2019-12402 high org.apache.commons:commons-compress v15.0.6
CVE-2019-12422 high org.apache.shiro:shiro-core v15.0.6
CVE-2020-11976 high org.apache.wicket:wicket-core v15.0.6
CVE-2020-13933 high org.apache.shiro:shiro-core v15.0.6
CVE-2020-25638 high org.hibernate:hibernate-core v15.0.6
CVE-2020-26217 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21341 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-23937 high org.apache.wicket:wicket-core v15.0.6
CVE-2021-28165 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2021-29505 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-30129 high org.apache.sshd:sshd-core v15.0.6
CVE-2021-35515 high org.apache.commons:commons-compress v15.0.6
CVE-2021-35516 high org.apache.commons:commons-compress v15.0.6
CVE-2021-35517 high org.apache.commons:commons-compress v15.0.6
CVE-2021-36090 high org.apache.commons:commons-compress v15.0.6
CVE-2021-39139 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39141 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39144 high KEV com.thoughtworks.xstream:xstream v15.0.7
CVE-2021-39145 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39146 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39147 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39148 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39149 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39150 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39151 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39152 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39153 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-39154 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-43859 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2022-1471 high org.yaml:snakeyaml v15.0.6
CVE-2022-2191 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2022-25857 high org.yaml:snakeyaml v15.0.6
CVE-2022-40151 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2022-41966 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2022-45688 high org.json:json v15.0.6
CVE-2023-24998 high commons-fileupload:commons-fileupload v15.0.6
CVE-2023-33265 high com.hazelcast:hazelcast v15.0.6
CVE-2023-45859 high com.hazelcast:hazelcast v15.0.6
CVE-2023-45860 high com.hazelcast:hazelcast v15.0.6
CVE-2023-5072 high org.json:json v15.0.6
CVE-2024-13009 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2024-36522 high org.apache.wicket:wicket-util v15.0.6
CVE-2024-47072 high com.thoughtworks.xstream:xstream v15.0.6
CVE-2025-48976 high commons-fileupload:commons-fileupload v15.0.6
CVE-2026-0603 high org.hibernate:hibernate-core v15.0.6
CVE-2026-1605 high org.eclipse.jetty:jetty-server v15.0.6
CVE-2026-3505 high org.bouncycastle:bcpg-jdk18on v15.0.6
CVE-2026-5598 high org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2006-6969 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2011-1498 medium org.apache.httpcomponents:httpclient v15.0.6
CVE-2011-4461 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2012-2098 medium org.apache.commons:commons-compress v15.0.6
CVE-2014-0043 medium org.apache.wicket:wicket-core v15.0.6
CVE-2014-3577 medium org.apache.httpcomponents:httpclient v15.0.6
CVE-2015-5262 medium org.apache.httpcomponents:httpclient v15.0.6
CVE-2018-10237 medium com.google.guava:guava v15.0.6
CVE-2018-11762 medium org.apache.tika:tika-core v15.0.6
CVE-2018-11771 medium org.apache.commons:commons-compress v15.0.6
CVE-2018-12536 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2018-1324 medium org.apache.commons:commons-compress v15.0.6
CVE-2018-1338 medium org.apache.tika:tika-core v15.0.6
CVE-2018-8017 medium org.apache.tika:tika-core v15.0.6
CVE-2019-10219 medium org.hibernate.validator:hibernate-validator v15.0.6
CVE-2019-10241 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2019-10246 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2019-10247 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2019-14900 medium org.hibernate:hibernate-core v15.0.6
CVE-2019-17632 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2020-10693 medium org.hibernate.validator:hibernate-validator v15.0.6
CVE-2020-13956 medium org.apache.httpcomponents:httpclient v15.0.6
CVE-2020-26258 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2020-26259 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2020-27218 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2020-27223 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2020-36843 medium net.i2p.crypto:eddsa v15.0.6
CVE-2021-21342 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21343 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21344 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21345 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21346 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21347 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21348 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21349 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21350 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-21351 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2021-28169 medium org.eclipse.jetty:jetty-servlets v15.0.6
CVE-2021-28170 medium org.glassfish:javax.el v15.0.6
CVE-2021-39140 medium com.thoughtworks.xstream:xstream v15.0.6
CVE-2022-30126 medium org.apache.tika:tika-core v15.0.6
CVE-2022-30973 medium org.apache.tika:tika-core v15.0.6
CVE-2022-38749 medium org.yaml:snakeyaml v15.0.6
CVE-2022-38750 medium org.yaml:snakeyaml v15.0.6
CVE-2022-38751 medium org.yaml:snakeyaml v15.0.6
CVE-2022-38752 medium org.yaml:snakeyaml v15.0.6
CVE-2022-41854 medium org.yaml:snakeyaml v15.0.6
CVE-2023-1932 medium org.hibernate.validator:hibernate-validator v15.0.6
CVE-2023-26048 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2023-2976 medium com.google.guava:guava v15.0.6
CVE-2023-33201 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2023-33202 medium org.bouncycastle:bcpkix-jdk18on v15.0.6
CVE-2023-33202 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2023-33264 medium com.hazelcast:hazelcast v15.0.6
CVE-2023-35887 medium org.apache.sshd:sshd-core v15.0.6
CVE-2023-42503 medium org.apache.commons:commons-compress v15.0.6
CVE-2023-46749 medium org.apache.shiro:shiro-core v15.0.6
CVE-2023-46750 medium org.apache.shiro:shiro-web v15.0.6
CVE-2024-12798 medium ch.qos.logback:logback-core 1.4.14 v15.0.6
CVE-2024-25710 medium org.apache.commons:commons-compress v15.0.6
CVE-2024-26308 medium org.apache.commons:commons-compress v15.0.6
CVE-2024-29857 medium org.bouncycastle:bctls-jdk18on v15.0.6
CVE-2024-29857 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2024-30171 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2024-30171 medium org.bouncycastle:bctls-jdk18on v15.0.6
CVE-2024-30172 medium org.bouncycastle:bctls-jdk18on v15.0.6
CVE-2024-30172 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2024-34447 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2024-53299 medium org.apache.wicket:wicket-core v15.0.6
CVE-2024-8184 medium org.eclipse.jetty:jetty-server v15.0.6
CVE-2024-9823 medium org.eclipse.jetty:jetty-servlets v15.0.6
CVE-2025-11226 medium ch.qos.logback:logback-core 1.4.14 v15.0.6
CVE-2025-35036 medium org.hibernate.validator:hibernate-validator v15.0.6
CVE-2025-48924 medium org.apache.commons:commons-lang3 3.17.0 v15.0.6
CVE-2025-8885 medium org.bouncycastle:bctls-jdk18on v15.0.6
CVE-2025-8885 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2025-8916 medium org.bouncycastle:bcpkix-jdk18on v15.0.6
CVE-2026-0636 medium org.bouncycastle:bcprov-jdk18on v15.0.6
CVE-2026-5588 medium org.bouncycastle:bcpkix-jdk18on v15.0.6
CVE-2013-0248 low commons-fileupload:commons-fileupload v15.0.6
CVE-2020-8908 low com.google.guava:guava v15.0.6
CVE-2021-34428 low org.eclipse.jetty:jetty-server v15.0.6
CVE-2023-26049 low org.eclipse.jetty:jetty-server v15.0.6
CVE-2023-36479 low org.eclipse.jetty:jetty-servlets v15.0.6
CVE-2024-12801 low ch.qos.logback:logback-core 1.4.14 v15.0.6
CVE-2024-6762 low org.eclipse.jetty:jetty-servlets v15.0.6
CVE-2026-1225 low ch.qos.logback:logback-core 1.4.14 v15.0.6
CVE-2026-23901 low org.apache.shiro:shiro-core v15.0.6

Showing 185 of 185

Beta — feedback welcome: [email protected]