Skip to content
Tools / Ralph / Security

Security Deep Dive

Ralph

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects 20260506.1.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 3d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
3d median over recent releases Release history
Latest release: 28d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 1d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 28d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 28d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 28d ago
4.0/10 Security Score
5.5/10 Scorecard
Dependency Exposure 257 transitive dependency CVEs found in the latest SBOM. 28 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

1d stale

scorecard

2.20 / 4.0

Score 5.5/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 28c/119h

Provenance trust

provenance trust

5.5

40%

scorecard score: 5.5 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 1d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
28 Transitive critical CVEs
1 KEV-transitive CVEs
74% Dependency freshness

Scorecard

Scorecard 5.5/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 5 Found 5/9 approved changesets -- score normalized to 5
Maintained 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow 10 no dangerous workflow patterns detected
Packaging -1 packaging workflow not detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts 10 no binaries found in the repo
Security-Policy 0 security policy file not detected
Fuzzing 0 project is not fuzzed
License 10 license file detected
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases -1 no releases found
SAST 9 SAST tool is not run on all commits -- score normalized to 9
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

231 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

28

High

119

Medium

89

Low

17

Unknown

4

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (56) All (257)
Critical 28 High 119 Medium 89 Low 17 Unknown 4
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2011-0698 critical django
CVE-2012-3442 critical django
CVE-2013-2166 critical python-keystoneclient
CVE-2013-2167 critical python-keystoneclient
CVE-2014-0472 critical django
CVE-2014-1418 critical django
CVE-2014-3007 critical pillow
CVE-2016-4009 critical pillow
CVE-2016-9013 critical django
CVE-2016-9014 critical django
CVE-2019-14234 critical django
CVE-2019-19844 critical django
CVE-2020-11538 critical pillow
CVE-2020-5310 critical pillow
CVE-2020-5311 critical pillow
CVE-2020-5312 critical pillow
CVE-2020-7471 critical django
CVE-2021-25289 critical pillow
CVE-2021-34552 critical pillow
CVE-2021-35042 critical django
CVE-2022-22817 critical pillow
CVE-2022-28346 critical django
CVE-2022-28347 critical django
CVE-2022-34265 critical django
CVE-2023-31047 critical django
CVE-2023-50447 critical pillow
CVE-2024-42005 critical django
CVE-2025-64459 critical django 4.2.23
CVE-2007-0404 high django
CVE-2007-5712 high django
CVE-2008-3909 high django
CVE-2009-2659 high django
CVE-2009-3695 high django
CVE-2010-4534 high django
CVE-2011-0696 high django
CVE-2011-4137 high django
CVE-2011-4138 high django
CVE-2011-4139 high django
CVE-2011-4140 high django
CVE-2012-3443 high django
CVE-2012-3444 high django
CVE-2012-4520 high django
CVE-2013-1443 high django
CVE-2013-2104 high python-keystoneclient
CVE-2013-4315 high django
CVE-2014-0473 high django
CVE-2014-0474 high django
CVE-2014-0480 high django
CVE-2014-0481 high django
CVE-2014-1932 high pillow
CVE-2014-3589 high pillow
CVE-2014-3598 high pillow
CVE-2014-3730 high django
CVE-2014-7144 high python-keystoneclient
CVE-2014-9601 high pillow
CVE-2015-0221 high django
CVE-2015-0222 high django
CVE-2015-1852 high python-keystoneclient
CVE-2015-2316 high django
CVE-2015-5143 high django
CVE-2015-5144 high django
CVE-2015-5145 high django
CVE-2016-0775 high pillow
CVE-2016-2048 high django
CVE-2016-2533 high pillow
CVE-2016-3076 high pillow
CVE-2016-7401 high django
CVE-2016-9190 high pillow
CVE-2018-6188 high django
CVE-2019-14232 high django
CVE-2019-14233 high django
CVE-2019-14235 high django
CVE-2019-16865 high pillow
CVE-2019-19118 high django
CVE-2019-19911 high pillow
CVE-2019-3498 high django
CVE-2019-6975 high django
CVE-2020-10177 high pillow
CVE-2020-10378 high pillow
CVE-2020-10379 high pillow
CVE-2020-10994 high pillow
CVE-2020-13254 high django
CVE-2020-24583 high django
CVE-2020-35653 high pillow
CVE-2020-35654 high pillow
CVE-2020-5313 high pillow
CVE-2020-9402 high django
CVE-2021-23437 high pillow
CVE-2021-25287 high pillow
CVE-2021-25288 high pillow
CVE-2021-25290 high pillow
CVE-2021-25291 high pillow
CVE-2021-25293 high pillow
CVE-2021-27921 high pillow
CVE-2021-27922 high pillow
CVE-2021-27923 high pillow
CVE-2021-28675 high pillow
CVE-2021-28676 high pillow
CVE-2021-28677 high pillow
CVE-2021-31542 high django
CVE-2021-33571 high django
CVE-2021-45115 high django
CVE-2021-45116 high django
CVE-2022-23833 high django
CVE-2022-24303 high pillow
CVE-2022-30595 high pillow
CVE-2022-36359 high django
CVE-2022-41323 high django
CVE-2022-45198 high pillow
CVE-2022-45199 high pillow
CVE-2023-23969 high django
CVE-2023-24580 high django
CVE-2023-25577 high werkzeug 0.16.1
CVE-2023-28859 high redis
CVE-2023-36053 high django
CVE-2023-43665 high django
CVE-2023-44271 high pillow
CVE-2023-46695 high django
CVE-2023-4863 high KEV pillow
CVE-2024-24680 high django
CVE-2024-28219 high pillow
CVE-2024-34069 high werkzeug 0.16.1
CVE-2024-38875 high django
CVE-2024-39330 high django
CVE-2024-39614 high django
CVE-2024-53908 high django
CVE-2024-6345 high setuptools 65.7.0
CVE-2025-47273 high setuptools 65.7.0
CVE-2025-48379 high pillow
CVE-2025-57833 high django 4.2.23
CVE-2025-59681 high django 4.2.23
CVE-2025-64458 high django 4.2.23
CVE-2025-66418 high urllib3 2.5.0
CVE-2025-66471 high urllib3 2.5.0
CVE-2026-1207 high django 4.2.23
CVE-2026-1287 high django 4.2.23
CVE-2026-21441 high urllib3 2.5.0
CVE-2026-23490 high pyasn1 0.6.1
CVE-2026-25673 high django 4.2.23
CVE-2026-25990 high pillow 11.3.0
CVE-2026-26007 high cryptography 45.0.5
CVE-2026-30922 high pyasn1 0.6.1
CVE-2026-32597 high pyjwt 2.10.1
CVE-2026-33034 high django 4.2.23
CVE-2026-3902 high django 4.2.23
CVE-2026-40192 high pillow 11.3.0
CVE-2026-42311 high pillow 11.3.0
CVE-2007-0405 medium django
CVE-2008-2302 medium django
CVE-2010-3082 medium django
CVE-2010-4535 medium django
CVE-2011-0697 medium django
CVE-2011-4136 medium django
CVE-2013-0305 medium django
CVE-2013-0306 medium django
CVE-2013-1664 medium django
CVE-2013-1665 medium django
CVE-2013-2030 medium python-keystoneclient
CVE-2013-2255 medium python-keystoneclient
CVE-2013-4249 medium django
CVE-2013-6044 medium django
CVE-2014-0482 medium django
CVE-2014-0483 medium django
CVE-2014-1933 medium pillow
CVE-2015-0219 medium django
CVE-2015-0220 medium django
CVE-2015-2241 medium django
CVE-2015-2317 medium django
CVE-2015-3982 medium django
CVE-2015-5963 medium django
CVE-2015-5964 medium django
CVE-2015-8213 medium django
CVE-2016-0740 medium pillow
CVE-2016-2512 medium django
CVE-2016-6186 medium django
CVE-2016-9189 medium pillow
CVE-2017-12794 medium django
CVE-2017-5992 medium openpyxl
CVE-2017-7233 medium django
CVE-2017-7234 medium django
CVE-2018-14574 medium django
CVE-2018-16984 medium django
CVE-2018-7536 medium django
CVE-2019-11358 medium django
CVE-2019-12308 medium django
CVE-2019-12781 medium django
CVE-2020-13596 medium django
CVE-2020-24584 medium django
CVE-2020-35655 medium pillow
CVE-2021-25292 medium pillow
CVE-2021-28658 medium django
CVE-2021-28678 medium pillow
CVE-2021-32052 medium django
CVE-2021-3281 medium django
CVE-2021-33203 medium django
CVE-2021-44420 medium django
CVE-2021-45452 medium django
CVE-2022-22815 medium pillow
CVE-2022-22816 medium pillow
CVE-2022-22818 medium django
CVE-2023-28858 medium redis
CVE-2023-41164 medium django
CVE-2023-46136 medium werkzeug 0.16.1
CVE-2024-27351 medium django
CVE-2024-39329 medium django
CVE-2024-41989 medium django
CVE-2024-41990 medium django
CVE-2024-41991 medium django
CVE-2024-45230 medium django
CVE-2024-45231 medium django
CVE-2024-49766 medium werkzeug 0.16.1
CVE-2024-49767 medium werkzeug 0.16.1
CVE-2024-53907 medium django
CVE-2024-56374 medium django
CVE-2025-13372 medium django 4.2.23
CVE-2025-26699 medium django
CVE-2025-27556 medium django
CVE-2025-32873 medium django
CVE-2025-48432 medium django
CVE-2025-61783 medium social-auth-app-django 5.4.3
CVE-2025-61911 medium python-ldap 3.4.4
CVE-2025-61912 medium python-ldap 3.4.4
CVE-2025-64460 medium django 4.2.23
CVE-2025-66221 medium werkzeug 0.16.1
CVE-2025-69534 medium markdown 3.2.1
CVE-2026-1312 medium django 4.2.23
CVE-2026-21860 medium werkzeug 0.16.1
CVE-2026-25645 medium requests 2.32.4
CVE-2026-27199 medium werkzeug 0.16.1
CVE-2026-33033 medium django 4.2.23
CVE-2026-39892 medium cryptography 45.0.5
CVE-2026-42308 medium pillow 11.3.0
CVE-2026-42309 medium pillow 11.3.0
CVE-2026-42310 medium pillow 11.3.0
GHSA-27jp-wm6q-gp25 medium sqlparse 0.5.3
GHSA-jgpv-4h4c-xhw3 medium pillow
CVE-2013-2013 low python-keystoneclient
CVE-2014-0105 low python-keystoneclient
CVE-2016-2513 low django
CVE-2018-7537 low django
CVE-2023-23934 low werkzeug 0.16.1
CVE-2024-21520 low djangorestframework 3.15.0
CVE-2025-13473 low django 4.2.23
CVE-2025-14550 low django 4.2.23
CVE-2025-59682 low django 4.2.23
CVE-2025-68142 low pymdown-extensions 10.4
CVE-2026-1285 low django 4.2.23
CVE-2026-25674 low django 4.2.23
CVE-2026-34073 low cryptography 45.0.5
CVE-2026-4277 low django 4.2.23
CVE-2026-4292 low django 4.2.23
CVE-2026-4539 low pygments 2.19.2
GHSA-4fx9-vc88-q2xc low pillow
CVE-2022-29361 unknown werkzeug 0.16.1
OSV-2022-1074 unknown pillow
OSV-2022-715 unknown pillow
PYSEC-2023-175 unknown pillow

Showing 257 of 257

Beta — feedback welcome: [email protected]