Skip to content
Tools / Silex / Security

Security Deep Dive

Silex

Security posture and CVE patch evidence from tracked releases.

Back to Tool

9 critical dependency CVEs affects v3.7.3.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✗ Security policy Unknown cadence Active maintainer

Trust Signals — 1 of 9 Present

Evidence already collected from releases and repository metadata.

1/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 18d ago
Release cadence Unknown
12-release median Release history
Latest release: 18d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 11d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 18d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 18d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 18d ago
3.3/10 Security Score
3.8/10 Scorecard
Dependency Exposure 209 transitive dependency CVEs found in the latest SBOM. 9 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

11d stale

scorecard

1.52 / 4.0

Score 3.8/10

cve health

0.00 / 2.5

No open CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: available

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 9c/88h

Provenance trust

provenance trust

3.8

40%

scorecard score: 3.8 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 11d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
9 Transitive critical CVEs
0 KEV-transitive CVEs
56% Dependency freshness

Scorecard

Scorecard 3.8/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 0 Found 0/23 approved changesets -- score normalized to 0
Dangerous-Workflow 10 no dangerous workflow patterns detected
Binary-Artifacts 10 no binaries found in the repo
Maintained 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10
Packaging -1 packaging workflow not detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies 0 dependency not pinned by hash detected -- score normalized to 0
Security-Policy 0 security policy file not detected
Fuzzing 0 project is not fuzzed
License 10 license file detected
Branch-Protection -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases 0 Project has not signed or included provenance with any releases.
SAST 0 SAST tool is not run on all commits -- score normalized to 0

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

6002 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

9

High

88

Medium

67

Low

21

Unknown

24

Still affecting latest (135) All (209)
Critical 9 High 88 Medium 67 Low 21 Unknown 24
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2021-23369 critical handlebars 4.3.4 v3.7.3
CVE-2021-23383 critical handlebars 4.3.4 v3.7.3
CVE-2021-44906 critical minimist 0.0.10 v3.7.3
CVE-2022-39353 critical xmldom 0.1.19 v3.7.3
CVE-2024-21534 critical jsonpath-plus 10.1.0 v3.7.3
CVE-2024-48910 critical dompurify 2.4.1 v3.7.3
CVE-2026-27699 critical basic-ftp 5.0.5 v3.7.3
CVE-2026-28792 critical @tinacms/cli 1.12.6 v3.7.3
CVE-2026-33937 critical handlebars 4.3.4 v3.7.3
CVE-2017-1000048 high qs 2.3.3 v3.7.3
CVE-2019-20920 high handlebars 4.3.4 v3.7.3
CVE-2019-20922 high handlebars 4.3.4 v3.7.3
CVE-2020-8203 high lodash 4.17.15 v3.7.3
CVE-2021-23337 high lodash 4.17.15 v3.7.3
CVE-2021-23337 high lodash.template 4.5.0 v3.7.3
CVE-2022-24785 high moment 2.24.0 v3.7.3
CVE-2022-24999 high qs 2.3.3 v3.7.3
CVE-2022-31129 high moment 2.24.0 v3.7.3
CVE-2022-37620 high html-minifier 4.0.0 v3.7.3
CVE-2024-21538 high cross-spawn 5.1.0 v3.7.3
CVE-2024-29415 high ip 1.1.5 v3.7.3
CVE-2024-45296 high path-to-regexp 0.1.7 v3.7.3
CVE-2024-45590 high body-parser 1.20.2 v3.7.3
CVE-2024-45801 high dompurify 2.4.1 v3.7.3
CVE-2024-47875 high dompurify 2.4.1 v3.7.3
CVE-2024-52798 high path-to-regexp 0.1.7 v3.7.3
CVE-2025-12758 high validator 11.1.0 v3.7.3
CVE-2025-12816 high node-forge 1.3.1 v3.7.3
CVE-2025-1302 high jsonpath-plus 10.1.0 v3.7.3
CVE-2025-64756 high glob 10.4.5 v3.7.3
CVE-2025-66031 high node-forge 1.3.1 v3.7.3
CVE-2025-68278 high tinacms 2.10.1 v3.7.3
CVE-2025-68278 high @tinacms/graphql 1.6.3 v3.7.3
CVE-2025-68278 high @tinacms/cli 1.12.6 v3.7.3
CVE-2026-25547 high @isaacs/brace-expansion 5.0.0 v3.7.3
CVE-2026-26996 high minimatch 9.0.5 v3.7.3
CVE-2026-27601 high underscore 1.13.7 v3.7.3
CVE-2026-27606 high rollup 4.51.0 v3.7.3
CVE-2026-27903 high minimatch 9.0.5 v3.7.3
CVE-2026-27904 high minimatch 9.0.5 v3.7.3
CVE-2026-27959 high koa 2.16.2 v3.7.3
CVE-2026-28793 high @tinacms/cli 1.12.6 v3.7.3
CVE-2026-30952 high liquidjs 10.21.1 v3.7.3
CVE-2026-31812 high quinn-proto 0.11.13 v3.7.3
CVE-2026-32141 high flatted 3.3.3 v3.7.3
CVE-2026-33228 high flatted 3.3.3 v3.7.3
CVE-2026-33285 high liquidjs 10.21.1 v3.7.3
CVE-2026-33287 high liquidjs 10.21.1 v3.7.3
CVE-2026-3336 high aws-lc-sys 0.37.1 v3.7.3
CVE-2026-3337 high aws-lc-sys 0.37.1 v3.7.3
CVE-2026-3338 high aws-lc-sys 0.37.1 v3.7.3
CVE-2026-33671 high picomatch 2.3.1 v3.7.3
CVE-2026-33891 high node-forge 1.3.1 v3.7.3
CVE-2026-33894 high node-forge 1.3.1 v3.7.3
CVE-2026-33895 high node-forge 1.3.1 v3.7.3
CVE-2026-33896 high node-forge 1.3.1 v3.7.3
CVE-2026-33938 high handlebars 4.3.4 v3.7.3
CVE-2026-33939 high handlebars 4.3.4 v3.7.3
CVE-2026-33940 high handlebars 4.3.4 v3.7.3
CVE-2026-33941 high handlebars 4.3.4 v3.7.3
CVE-2026-33949 high @tinacms/graphql 1.6.3 v3.7.3
CVE-2026-34601 high xmldom 0.1.19 v3.7.3
CVE-2026-34603 high @tinacms/graphql 1.6.3 v3.7.3
CVE-2026-34604 high @tinacms/graphql 1.6.3 v3.7.3
CVE-2026-35525 high liquidjs 10.21.1 v3.7.3
CVE-2026-41311 high liquidjs 10.21.1 v3.7.3
CVE-2026-41324 high basic-ftp 5.0.5 v3.7.3
CVE-2026-41672 high xmldom 0.1.19 v3.7.3
CVE-2026-41673 high xmldom 0.1.19 v3.7.3
CVE-2026-41674 high xmldom 0.1.19 v3.7.3
CVE-2026-41675 high xmldom 0.1.19 v3.7.3
CVE-2026-41676 high openssl 0.10.76 v3.7.3
CVE-2026-41678 high openssl 0.10.76 v3.7.3
CVE-2026-41681 high openssl 0.10.76 v3.7.3
CVE-2026-41898 high openssl 0.10.76 v3.7.3
CVE-2026-42033 high axios 1.13.6 v3.7.3
CVE-2026-42035 high axios 1.13.6 v3.7.3
CVE-2026-42043 high axios 1.13.6 v3.7.3
CVE-2026-42264 high axios 1.13.6 v3.7.3
CVE-2026-42327 high openssl 0.10.76 v3.7.3
CVE-2026-42559 high rmcp 0.15.0 v3.7.3
CVE-2026-44240 high basic-ftp 5.0.5 v3.7.3
CVE-2026-4428 high aws-lc-sys 0.37.1 v3.7.3
CVE-2026-4800 high lodash 4.17.15 v3.7.3
CVE-2026-4800 high lodash.template 4.5.0 v3.7.3
CVE-2026-4800 high lodash-es 4.17.23 v3.7.3
CVE-2026-4867 high path-to-regexp 0.1.7 v3.7.3
CVE-2026-6321 high fast-uri 3.1.0 v3.7.3
CVE-2026-6322 high fast-uri 3.1.0 v3.7.3
GHSA-2cf5-4w76-r9qv high handlebars 4.3.4 v3.7.3
GHSA-394x-vwmw-crm3 high aws-lc-sys 0.37.1 v3.7.3
GHSA-5c6j-r48x-rmvq high serialize-javascript 6.0.2 v3.7.3
GHSA-6v7q-wjvx-w8wg high basic-ftp 5.0.5 v3.7.3
GHSA-82j2-j2ch-gfr8 high rustls-webpki 0.103.9 v3.7.3
GHSA-g9r4-xpmj-mj65 high handlebars 4.3.4 v3.7.3
GHSA-m4gq-x24j-jpmf high mermaid 9.3.0 v3.7.3
GHSA-q2c6-c6pm-g3gh high handlebars 4.3.4 v3.7.3
CVE-2018-16481 medium html-pages 3.1.0 v3.7.3
CVE-2019-10775 medium ecstatic 2.2.2 v3.7.3
CVE-2020-28500 medium lodash 4.17.15 v3.7.3
CVE-2020-7598 medium minimist 0.0.10 v3.7.3
CVE-2020-7789 medium node-notifier 6.0.0 v3.7.3
CVE-2021-21353 medium pug 2.0.4 v3.7.3
CVE-2021-21366 medium xmldom 0.1.19 v3.7.3
CVE-2021-32796 medium xmldom 0.1.19 v3.7.3
CVE-2021-3765 medium validator 11.1.0 v3.7.3
CVE-2022-21802 medium grapesjs 0.22.14 v3.7.3
CVE-2022-33987 medium got 9.6.0 v3.7.3
CVE-2024-36361 medium pug 2.0.4 v3.7.3
CVE-2024-36361 medium pug-code-gen 2.0.3 v3.7.3
CVE-2024-43788 medium webpack 5.93.0 v3.7.3
CVE-2025-13465 medium lodash 4.17.15 v3.7.3
CVE-2025-15284 medium qs 2.3.3 v3.7.3
CVE-2025-26791 medium dompurify 2.4.1 v3.7.3
CVE-2025-30359 medium webpack-dev-server 4.15.2 v3.7.3
CVE-2025-30360 medium webpack-dev-server 4.15.2 v3.7.3
CVE-2025-56200 medium validator 11.1.0 v3.7.3
CVE-2025-62522 medium vite 4.5.14 v3.7.3
CVE-2025-62595 medium koa 2.16.2 v3.7.3
CVE-2025-62718 medium axios 1.13.6 v3.7.3
CVE-2025-64718 medium js-yaml 3.14.1 v3.7.3
CVE-2025-66030 medium node-forge 1.3.1 v3.7.3
CVE-2025-68470 medium react-router 6.3.0 v3.7.3
CVE-2025-69873 medium ajv 8.17.1 v3.7.3
CVE-2026-2327 medium markdown-it 13.0.2 v3.7.3
CVE-2026-24125 medium @tinacms/graphql 1.6.3 v3.7.3
CVE-2026-29066 medium @tinacms/cli 1.12.6 v3.7.3
CVE-2026-2950 medium lodash 4.17.15 v3.7.3
CVE-2026-2950 medium lodash-es 4.17.23 v3.7.3
CVE-2026-33055 medium tar 0.4.44 v3.7.3
CVE-2026-33056 medium tar 0.4.44 v3.7.3
CVE-2026-33532 medium yaml 2.8.2 v3.7.3
CVE-2026-33672 medium picomatch 2.3.1 v3.7.3
CVE-2026-33750 medium brace-expansion 2.0.2 v3.7.3
CVE-2026-33916 medium handlebars 4.3.4 v3.7.3
CVE-2026-34043 medium serialize-javascript 6.0.2 v3.7.3
CVE-2026-39365 medium vite 4.5.14 v3.7.3
CVE-2026-39412 medium liquidjs 10.21.1 v3.7.3
CVE-2026-39859 medium liquidjs 10.21.1 v3.7.3
CVE-2026-40175 medium axios 1.13.6 v3.7.3
CVE-2026-41239 medium dompurify 2.4.1 v3.7.3
CVE-2026-41240 medium dompurify 2.4.1 v3.7.3
CVE-2026-41305 medium postcss 8.5.8 v3.7.3
CVE-2026-42034 medium axios 1.13.6 v3.7.3
CVE-2026-42036 medium axios 1.13.6 v3.7.3
CVE-2026-42037 medium axios 1.13.6 v3.7.3
CVE-2026-42038 medium axios 1.13.6 v3.7.3
CVE-2026-42039 medium axios 1.13.6 v3.7.3
CVE-2026-42041 medium axios 1.13.6 v3.7.3
CVE-2026-42042 medium axios 1.13.6 v3.7.3
CVE-2026-42044 medium axios 1.13.6 v3.7.3
CVE-2026-42184 medium tauri 2.10.2 v3.7.3
CVE-2026-42338 medium ip-address 10.1.0 v3.7.3
CVE-2026-44662 medium openssl 0.10.76 v3.7.3
GHSA-39q2-94rc-95cp medium dompurify 2.4.1 v3.7.3
GHSA-67mh-4wv8-2f99 medium esbuild 0.18.20 v3.7.3
GHSA-cj63-jhhr-wcxv medium dompurify 2.4.1 v3.7.3
GHSA-cjmm-f4jc-qw8r medium dompurify 2.4.1 v3.7.3
GHSA-f52g-6jhx-586p medium handlebars 4.3.4 v3.7.3
GHSA-h8r8-wccr-v5f2 medium dompurify 2.4.1 v3.7.3
GHSA-pwjx-qhcg-rvj4 medium rustls-webpki 0.103.9 v3.7.3
GHSA-r4q5-vmmm-2653 medium follow-redirects 1.15.11 v3.7.3
GHSA-wrw7-89jp-8q8g medium glib 0.18.5 v3.7.3
GHSA-xx4c-jj58-r7x6 medium validator 11.1.0 v3.7.3
CVE-2023-42282 low ip 1.1.5 v3.7.3
CVE-2024-43796 low express 4.19.2 v3.7.3
CVE-2024-43799 low send 0.17.1 v3.7.3
CVE-2024-43800 low serve-static 1.15.0 v3.7.3
CVE-2024-47764 low cookie 0.4.1 v3.7.3
CVE-2025-46653 low formidable 3.5.1 v3.7.3
CVE-2025-58751 low vite 4.5.14 v3.7.3
CVE-2025-58752 low vite 4.5.14 v3.7.3
CVE-2025-68157 low webpack 5.101.3 v3.7.3
CVE-2025-68458 low webpack 5.101.3 v3.7.3
CVE-2025-7339 low on-headers 1.0.2 v3.7.3
CVE-2026-2391 low qs 6.11.0 v3.7.3
CVE-2026-24001 low diff 4.0.2 v3.7.3
CVE-2026-34166 low liquidjs 10.21.1 v3.7.3
CVE-2026-3449 low @tootallnate/once 2.0.0 v3.7.3
CVE-2026-41677 low openssl 0.10.76 v3.7.3
CVE-2026-42040 low axios 1.13.6 v3.7.3
GHSA-442j-39wm-28r2 low handlebars 4.3.4 v3.7.3
GHSA-965h-392x-2mh5 low rustls-webpki 0.103.9 v3.7.3
GHSA-cq8v-f236-94qc low rand 0.8.5 v3.7.3
GHSA-xgp8-3hg3-c2mh low rustls-webpki 0.103.9 v3.7.3
RUSTSEC-2024-0370 unknown proc-macro-error 1.0.4 v3.7.3
RUSTSEC-2024-0411 unknown gdkwayland-sys 0.18.2 v3.7.3
RUSTSEC-2024-0412 unknown gdk 0.18.2 v3.7.3
RUSTSEC-2024-0413 unknown atk 0.18.2 v3.7.3
RUSTSEC-2024-0414 unknown gdkx11-sys 0.18.2 v3.7.3
RUSTSEC-2024-0415 unknown gtk 0.18.2 v3.7.3
RUSTSEC-2024-0416 unknown atk-sys 0.18.2 v3.7.3
RUSTSEC-2024-0417 unknown gdkx11 0.18.2 v3.7.3
RUSTSEC-2024-0418 unknown gdk-sys 0.18.2 v3.7.3
RUSTSEC-2024-0419 unknown gtk3-macros 0.18.2 v3.7.3
RUSTSEC-2024-0420 unknown gtk-sys 0.18.2 v3.7.3
RUSTSEC-2024-0429 unknown glib 0.18.5 v3.7.3
RUSTSEC-2025-0057 unknown fxhash 0.2.1 v3.7.3
RUSTSEC-2025-0075 unknown unic-char-range 0.9.0 v3.7.3
RUSTSEC-2025-0080 unknown unic-common 0.9.0 v3.7.3
RUSTSEC-2025-0081 unknown unic-char-property 0.9.0 v3.7.3
RUSTSEC-2025-0098 unknown unic-ucd-version 0.9.0 v3.7.3
RUSTSEC-2025-0100 unknown unic-ucd-ident 0.9.0 v3.7.3
RUSTSEC-2026-0044 unknown aws-lc-sys 0.37.1 v3.7.3
RUSTSEC-2026-0049 unknown rustls-webpki 0.103.9 v3.7.3
RUSTSEC-2026-0097 unknown rand 0.8.5 v3.7.3
RUSTSEC-2026-0098 unknown rustls-webpki 0.103.9 v3.7.3
RUSTSEC-2026-0099 unknown rustls-webpki 0.103.9 v3.7.3
RUSTSEC-2026-0104 unknown rustls-webpki 0.103.9 v3.7.3

Showing 209 of 209

Beta — feedback welcome: [email protected]