Skip to content
Tools / scrypted / Security

Security Deep Dive

scrypted

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v0.143.0.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

— Signed — SLSA ✓ SBOM ✗ Security policy Unknown cadence Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Present
GitHub SBOM API Latest release
Last verified: 28d ago
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence Unknown
12-release median Release history
Latest release: 7mo ago
Maintainer active Present
Recent commit activity Repository
Last commit: 5d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 7mo ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 7mo ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 7mo ago
3.8/10 Security Score
Dependency Exposure 250 transitive dependency CVEs found in the latest SBOM. 22 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

4d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 22c/99h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 22c/99h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 4d

Operational risk

operational risk

8.5

10%

kev exposure: detected epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
22 Transitive critical CVEs
1 KEV-transitive CVEs
44% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

6017 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

22

High

99

Medium

92

Low

36

Unknown

1

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (160) All (250)
Critical 22 High 99 Medium 92 Low 36 Unknown 1
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2020-11538 critical pillow 5.4.1
CVE-2020-5310 critical pillow 5.4.1
CVE-2020-5311 critical pillow 5.4.1
CVE-2020-5312 critical pillow 5.4.1
CVE-2021-25289 critical pillow 5.4.1
CVE-2021-34552 critical pillow 5.4.1
CVE-2022-2216 critical parse-url 5.0.8
CVE-2022-22817 critical pillow 5.4.1
CVE-2022-2900 critical parse-url 5.0.8
CVE-2022-37601 critical loader-utils 1.4.0
CVE-2023-28154 critical webpack 5.74.0
CVE-2023-36665 critical protobufjs 6.11.3
CVE-2023-45133 critical @babel/traverse 7.20.13
CVE-2023-46233 critical crypto-js 4.1.1
CVE-2023-50447 critical pillow 5.4.1
CVE-2025-6545 critical pbkdf2 3.1.2
CVE-2025-6547 critical pbkdf2 3.1.2
CVE-2025-7783 critical form-data 4.0.0
CVE-2025-9287 critical cipher-base 1.0.4
CVE-2025-9288 critical sha.js 2.4.11
CVE-2026-41242 critical protobufjs 6.11.3
GHSA-vjh7-7g9h-fjfh critical elliptic 6.5.4
CVE-2018-18074 high requests
CVE-2019-13611 high python-engineio
CVE-2019-16865 high pillow 5.4.1
CVE-2019-19911 high pillow 5.4.1
CVE-2020-10177 high pillow 5.4.1
CVE-2020-10378 high pillow 5.4.1
CVE-2020-10379 high pillow 5.4.1
CVE-2020-10994 high pillow 5.4.1
CVE-2020-35653 high pillow 5.4.1
CVE-2020-35654 high pillow 5.4.1
CVE-2020-5313 high pillow 5.4.1
CVE-2021-23437 high pillow 5.4.1
CVE-2021-25287 high pillow 5.4.1
CVE-2021-25288 high pillow 5.4.1
CVE-2021-25290 high pillow 5.4.1
CVE-2021-25291 high pillow 5.4.1
CVE-2021-25293 high pillow 5.4.1
CVE-2021-27921 high pillow 5.4.1
CVE-2021-27922 high pillow 5.4.1
CVE-2021-27923 high pillow 5.4.1
CVE-2021-28675 high pillow 5.4.1
CVE-2021-28676 high pillow 5.4.1
CVE-2021-28677 high pillow 5.4.1
CVE-2021-33623 high trim-newlines 2.0.0
CVE-2021-41495 high numpy 1.16.2
CVE-2022-0624 high parse-path 4.0.4
CVE-2022-0722 high parse-url 5.0.8
CVE-2022-24303 high pillow 5.4.1
CVE-2022-24999 high qs 6.7.0
CVE-2022-25881 high http-cache-semantics 4.1.0
CVE-2022-25883 high semver 7.3.8
CVE-2022-3517 high minimatch 3.0.4
CVE-2022-37599 high loader-utils 1.4.0
CVE-2022-37603 high loader-utils 1.4.0
CVE-2022-38900 high decode-uri-component 0.2.0
CVE-2022-45198 high pillow 5.4.1
CVE-2022-46175 high json5 1.0.1
CVE-2023-44271 high pillow 5.4.1
CVE-2023-46234 high browserify-sign 4.2.1
CVE-2023-4863 high KEV pillow 5.4.1
CVE-2024-12905 high tar-fs 2.1.1
CVE-2024-21538 high cross-spawn 7.0.3
CVE-2024-23334 high aiohttp
CVE-2024-28219 high pillow 5.4.1
CVE-2024-29180 high webpack-dev-middleware 3.7.3
CVE-2024-29415 high ip 1.1.8
CVE-2024-30251 high aiohttp
CVE-2024-37890 high ws 7.5.6
CVE-2024-39338 high axios 1.6.5
CVE-2024-4068 high braces 3.0.2
CVE-2024-45296 high path-to-regexp 0.1.7
CVE-2024-45590 high body-parser 1.20.2
CVE-2024-52798 high path-to-regexp 0.1.7
CVE-2025-12816 high node-forge 1.3.1
CVE-2025-14874 high nodemailer 6.9.1
CVE-2025-27152 high axios 1.6.5
CVE-2025-48387 high tar-fs 2.1.1
CVE-2025-58754 high axios 1.6.5
CVE-2025-59343 high tar-fs 2.1.1
CVE-2025-64756 high glob 11.0.3
CVE-2025-65945 high jws 4.0.0
CVE-2025-66031 high node-forge 1.3.1
CVE-2025-69223 high aiohttp
CVE-2026-1526 high undici 7.16.0
CVE-2026-1528 high undici 7.16.0
CVE-2026-2229 high undici 7.16.0
CVE-2026-23745 high tar 6.2.0
CVE-2026-23950 high tar 6.2.0
CVE-2026-24842 high tar 6.2.0
CVE-2026-25547 high @isaacs/brace-expansion 5.0.0
CVE-2026-25639 high axios 1.6.5
CVE-2026-25990 high pillow 10.3.0
CVE-2026-26960 high tar 6.2.0
CVE-2026-26996 high minimatch 10.0.3
CVE-2026-27601 high underscore 1.13.6
CVE-2026-27606 high rollup 4.52.5
CVE-2026-27903 high minimatch 10.0.3
CVE-2026-27904 high minimatch 10.0.3
CVE-2026-29786 high tar 6.2.0
CVE-2026-31802 high tar 6.2.0
CVE-2026-33151 high socket.io-parser 3.3.3
CVE-2026-33671 high picomatch 2.3.1
CVE-2026-33891 high node-forge 1.3.1
CVE-2026-33894 high node-forge 1.3.1
CVE-2026-33895 high node-forge 1.3.1
CVE-2026-33896 high node-forge 1.3.1
CVE-2026-40192 high pillow 10.3.0
CVE-2026-42033 high axios 1.6.5
CVE-2026-42035 high axios 1.6.5
CVE-2026-42043 high axios 1.6.5
CVE-2026-42264 high axios 1.6.5
CVE-2026-42311 high pillow 10.3.0
CVE-2026-4800 high lodash 4.17.21
CVE-2026-4867 high path-to-regexp 0.1.7
CVE-2026-4926 high path-to-regexp 8.2.0
CVE-2026-6321 high fast-uri 3.0.6
CVE-2026-6322 high fast-uri 3.0.6
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.1
GHSA-w4hv-vmv9-hgcr high @scrypted/server 0.6.26
CVE-2014-1829 medium requests
CVE-2014-1830 medium requests
CVE-2015-2296 medium requests
CVE-2020-35655 medium pillow 5.4.1
CVE-2020-7608 medium yargs-parser 10.1.0
CVE-2021-25292 medium pillow 5.4.1
CVE-2021-28678 medium pillow 5.4.1
CVE-2021-29510 medium pydantic
CVE-2021-33430 medium numpy 1.16.2
CVE-2021-34141 medium numpy 1.16.2
CVE-2021-41496 medium numpy 1.16.2
CVE-2022-2217 medium parse-url 5.0.8
CVE-2022-2218 medium parse-url 5.0.8
CVE-2022-22815 medium pillow 5.4.1
CVE-2022-22816 medium pillow 5.4.1
CVE-2022-3224 medium parse-url 5.0.8
CVE-2022-33987 medium got 9.6.0
CVE-2023-26115 medium word-wrap 1.2.3
CVE-2023-26136 medium tough-cookie 3.0.1
CVE-2023-26159 medium follow-redirects 1.14.9
CVE-2023-32681 medium requests
CVE-2023-32695 medium socket.io-parser 3.3.3
CVE-2023-37276 medium aiohttp
CVE-2023-45857 medium axios 0.21.4
CVE-2023-47620 medium @scrypted/server 0.6.26
CVE-2023-47627 medium aiohttp
CVE-2023-49081 medium aiohttp
CVE-2023-49082 medium aiohttp
CVE-2024-11831 medium serialize-javascript 6.0.1
CVE-2024-23829 medium aiohttp
CVE-2024-27306 medium aiohttp
CVE-2024-28849 medium follow-redirects 1.15.4
CVE-2024-28863 medium tar 6.2.0
CVE-2024-29041 medium express 4.18.2
CVE-2024-35195 medium requests
CVE-2024-36751 medium parseuri 0.0.6
CVE-2024-37168 medium @grpc/grpc-js 1.8.11
CVE-2024-3772 medium pydantic
CVE-2024-4067 medium micromatch 4.0.5
CVE-2024-42367 medium aiohttp
CVE-2024-43788 medium webpack 5.80.0
CVE-2024-47081 medium requests
CVE-2024-52303 medium aiohttp
CVE-2024-52304 medium aiohttp
CVE-2024-55565 medium nanoid 3.3.3
CVE-2025-13033 medium nodemailer 6.9.1
CVE-2025-13465 medium lodash 4.17.21
CVE-2025-13466 medium body-parser 2.2.0
CVE-2025-15284 medium qs 6.11.0
CVE-2025-27789 medium @babel/helpers 7.16.7
CVE-2025-62718 medium axios 1.6.5
CVE-2025-64718 medium js-yaml 4.1.0
CVE-2025-66030 medium node-forge 1.3.1
CVE-2025-66400 medium mdast-util-to-hast 13.2.0
CVE-2025-69227 medium aiohttp
CVE-2025-69228 medium aiohttp
CVE-2025-69229 medium aiohttp
CVE-2025-69873 medium ajv 6.12.6
CVE-2026-1525 medium undici 7.16.0
CVE-2026-1527 medium undici 7.16.0
CVE-2026-22036 medium undici 7.16.0
CVE-2026-22815 medium aiohttp
CVE-2026-2327 medium markdown-it 14.1.0
CVE-2026-25645 medium requests
CVE-2026-2739 medium bn.js 5.2.0
CVE-2026-2950 medium lodash 4.17.21
CVE-2026-33532 medium yaml 2.8.1
CVE-2026-33672 medium picomatch 2.3.1
CVE-2026-33750 medium brace-expansion 1.1.11
CVE-2026-34043 medium serialize-javascript 6.0.1
CVE-2026-34515 medium aiohttp
CVE-2026-34516 medium aiohttp
CVE-2026-34525 medium aiohttp
CVE-2026-40175 medium axios 1.6.5
CVE-2026-42034 medium axios 1.6.5
CVE-2026-42036 medium axios 1.6.5
CVE-2026-42037 medium axios 1.6.5
CVE-2026-42038 medium axios 1.6.5
CVE-2026-42039 medium axios 1.6.5
CVE-2026-42041 medium axios 1.6.5
CVE-2026-42042 medium axios 1.6.5
CVE-2026-42044 medium axios 1.6.5
CVE-2026-42308 medium pillow 10.3.0
CVE-2026-42310 medium pillow 10.3.0
CVE-2026-42338 medium ip-address 9.0.5
CVE-2026-4923 medium path-to-regexp 8.2.0
GHSA-67mh-4wv8-2f99 medium esbuild 0.15.9
GHSA-9h6g-pr28-7cqp medium nodemailer 6.9.1
GHSA-jgpv-4h4c-xhw3 medium pillow 5.4.1
GHSA-pjjw-qhg8-p2p9 medium aiohttp
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.11
GHSA-vvjj-xcjg-gr5g medium nodemailer 6.9.1
CVE-2017-16137 low debug 4.1.1
CVE-2021-21330 low aiohttp
CVE-2023-42282 low ip 1.1.8
CVE-2023-47641 low aiohttp
CVE-2024-42459 low elliptic 6.5.4
CVE-2024-42460 low elliptic 6.5.4
CVE-2024-42461 low elliptic 6.5.4
CVE-2024-43796 low express 4.18.2
CVE-2024-43799 low send 0.18.0
CVE-2024-43800 low serve-static 1.15.0
CVE-2024-47764 low cookie 0.4.1
CVE-2024-48948 low elliptic 6.5.4
CVE-2024-48949 low elliptic 6.5.4
CVE-2025-14505 low elliptic 6.5.4
CVE-2025-46653 low formidable 2.1.2
CVE-2025-53643 low aiohttp
CVE-2025-54798 low tmp 0.2.1
CVE-2025-5889 low brace-expansion 1.1.11
CVE-2025-68157 low webpack 5.80.0
CVE-2025-68458 low webpack 5.80.0
CVE-2025-69224 low aiohttp
CVE-2025-69225 low aiohttp
CVE-2025-69226 low aiohttp
CVE-2025-69230 low aiohttp
CVE-2026-2391 low qs 6.11.0
CVE-2026-24001 low diff 4.0.2
CVE-2026-34513 low aiohttp
CVE-2026-34514 low aiohttp
CVE-2026-34517 low aiohttp
CVE-2026-34518 low aiohttp
CVE-2026-34519 low aiohttp
CVE-2026-34520 low aiohttp
CVE-2026-3455 low mailparser 3.6.4
CVE-2026-42040 low axios 1.6.5
GHSA-4fx9-vc88-q2xc low pillow 5.4.1
GHSA-c7w3-x93f-qmm8 low nodemailer 6.9.1
PYSEC-2023-175 unknown pillow 5.4.1

Showing 250 of 250

Beta — feedback welcome: [email protected]