Skip to content
Tools / Text Generation Web UI / Security

Security Deep Dive

Text Generation Web UI

Security posture and CVE patch evidence from tracked releases.

Back to Tool

1 actively-exploited dependency CVE affects v4.9.

KEV-listed CVEs are confirmed exploited in the wild — patch urgently.

Versions by Severity

CVEs are attributed to tracked releases published before the patch release.

20 versions tracked
Version Published C H M L KEV Notes
v4.9 2026-05-20
Latest
v4.8 2026-05-07
Patches CVE-2023-4863
v4.7.3 2026-05-03 1 KEV 1
v4.7.2 2026-05-03 1 KEV 1
v4.7.1 2026-05-03 1 KEV 1
v4.7 2026-05-03 1 KEV 1
v4.6.2 2026-04-23 1 KEV 1
v4.6.1 2026-04-23 1 KEV 1
v4.6 2026-04-23 1 KEV 1
v4.5.2 2026-04-15 1 KEV 1
v4.5.1 2026-04-15 1 KEV 1
v4.5 2026-04-15 1 KEV 1
v4.4 2026-04-07 1 KEV 1
v4.3.3 2026-04-04 1 KEV 1
v4.3.2 2026-04-03 1 KEV 1
v4.3.1 2026-04-03 1 KEV 1
v4.3 2026-04-03 1 KEV 1
v4.2 2026-03-24 1 KEV 1
v4.1.1 2026-03-18 1 KEV 1
v4.1 2026-03-16 1 KEV 1
— Signed — SLSA — SBOM ✗ Security policy Weekly cadence · 0d median Active maintainer

Trust Signals — 2 of 9 Present

Evidence already collected from releases and repository metadata.

2/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Absent
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
0d median over recent releases Release history
Latest release: 14d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 2d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 14d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 14d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 14d ago
0.5/10 Security Score
Dependency Exposure 173 transitive dependency CVEs found in the latest SBOM. 20 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.00 / 0.5

Max EPSS 0.933

freshness

1.00 / 1.0

2d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 20c/76h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

-1.50 / 1.5

KEV exposure detected

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 20c/76h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 2d

Operational risk

operational risk

0.0

10%

kev exposure: detected epss max: 0.933
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100
20 Transitive critical CVEs
1 KEV-transitive CVEs
44% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

CVE Patch History

Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.

CVEs Patched by Year

Critical High Medium Low
2026
1
CVE Severity EPSS Disclosed Fixed in Days to fix vs Ecosystem Median KEV
CVE-2023-4863 HIGH 99%ile v4.8 KEV

KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.

Dependency Vulnerabilities

99 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

20

High

76

Medium

60

Low

8

Unknown

9

1 dependency vulnerabilities are in KEV.

CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.

Still affecting latest (1) All (173)
Critical 20 High 76 Medium 60 Low 8 Unknown 9
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2014-3007 critical pillow v4.8
CVE-2015-7337 critical ipython v4.8
CVE-2016-4009 critical pillow v4.8
CVE-2017-18342 critical pyyaml v4.8
CVE-2019-20477 critical pyyaml v4.8
CVE-2019-6446 critical numpy v4.8
CVE-2020-11538 critical pillow v4.8
CVE-2020-14343 critical pyyaml v4.8
CVE-2020-1747 critical pyyaml v4.8
CVE-2020-5310 critical pillow v4.8
CVE-2020-5311 critical pillow v4.8
CVE-2020-5312 critical pillow v4.8
CVE-2021-25289 critical pillow v4.8
CVE-2021-34552 critical pillow v4.8
CVE-2022-22817 critical pillow v4.8
CVE-2023-50447 critical pillow v4.8
CVE-2023-6730 critical transformers v4.8
CVE-2025-14009 critical nltk v4.8
CVE-2025-23042 critical gradio 4.37.2+custom.20 v4.8
GHSA-jxr6-qrxx-2ph2 critical num2words v4.8
CVE-2013-4251 high scipy v4.8
CVE-2014-1858 high numpy v4.8
CVE-2014-1859 high numpy v4.8
CVE-2014-1932 high pillow v4.8
CVE-2014-3429 high ipython v4.8
CVE-2014-3589 high pillow v4.8
CVE-2014-3598 high pillow v4.8
CVE-2014-9601 high pillow v4.8
CVE-2015-5607 high ipython v4.8
CVE-2016-0775 high pillow v4.8
CVE-2016-10075 high tqdm v4.8
CVE-2016-2533 high pillow v4.8
CVE-2016-3076 high pillow v4.8
CVE-2016-5851 high python-docx v4.8
CVE-2016-9190 high pillow v4.8
CVE-2017-12852 high numpy v4.8
CVE-2018-18074 high requests v4.8
CVE-2019-14751 high nltk v4.8
CVE-2019-16865 high pillow v4.8
CVE-2019-19911 high pillow v4.8
CVE-2020-10177 high pillow v4.8
CVE-2020-10378 high pillow v4.8
CVE-2020-10379 high pillow v4.8
CVE-2020-10994 high pillow v4.8
CVE-2020-35653 high pillow v4.8
CVE-2020-35654 high pillow v4.8
CVE-2020-5313 high pillow v4.8
CVE-2021-23437 high pillow v4.8
CVE-2021-25287 high pillow v4.8
CVE-2021-25288 high pillow v4.8
CVE-2021-25290 high pillow v4.8
CVE-2021-25291 high pillow v4.8
CVE-2021-25293 high pillow v4.8
CVE-2021-27921 high pillow v4.8
CVE-2021-27922 high pillow v4.8
CVE-2021-27923 high pillow v4.8
CVE-2021-28675 high pillow v4.8
CVE-2021-28676 high pillow v4.8
CVE-2021-28677 high pillow v4.8
CVE-2021-3828 high nltk v4.8
CVE-2021-3842 high nltk v4.8
CVE-2021-41495 high numpy v4.8
CVE-2021-43854 high nltk v4.8
CVE-2022-21699 high ipython v4.8
CVE-2022-24303 high pillow v4.8
CVE-2022-30595 high pillow v4.8
CVE-2022-45198 high pillow v4.8
CVE-2022-45199 high pillow v4.8
CVE-2023-44271 high pillow v4.8
CVE-2023-4863 high KEV pillow v4.9
CVE-2023-7018 high transformers v4.8
CVE-2024-10569 high gradio 4.37.2+custom.20 v4.8
CVE-2024-10648 high gradio 4.37.2+custom.20 v4.8
CVE-2024-11392 high transformers v4.8
CVE-2024-11393 high transformers v4.8
CVE-2024-11394 high transformers v4.8
CVE-2024-28219 high pillow v4.8
CVE-2024-39705 high nltk v4.8
CVE-2024-47084 high gradio 4.37.2+custom.20 v4.8
CVE-2024-47867 high gradio 4.37.2+custom.20 v4.8
CVE-2024-47870 high gradio 4.37.2+custom.20 v4.8
CVE-2024-47871 high gradio 4.37.2+custom.20 v4.8
CVE-2024-8966 high gradio 4.37.2+custom.20 v4.8
CVE-2025-48379 high pillow v4.8
CVE-2026-0846 high nltk v4.8
CVE-2026-0847 high nltk v4.8
CVE-2026-1260 high sentencepiece v4.8
CVE-2026-25990 high pillow v4.8
CVE-2026-28414 high gradio 4.37.2+custom.20 v4.8
CVE-2026-28416 high gradio 4.37.2+custom.20 v4.8
CVE-2026-33231 high nltk v4.8
CVE-2026-33236 high nltk v4.8
CVE-2026-40192 high pillow v4.8
CVE-2026-41066 high lxml v4.8
CVE-2026-42311 high pillow v4.8
CVE-2026-44513 high diffusers v4.8
CVE-2014-1829 medium requests v4.8
CVE-2014-1830 medium requests v4.8
CVE-2014-1933 medium pillow v4.8
CVE-2014-3146 medium lxml v4.8
CVE-2015-2296 medium requests v4.8
CVE-2015-4706 medium ipython v4.8
CVE-2015-4707 medium ipython v4.8
CVE-2015-6938 medium ipython v4.8
CVE-2016-0740 medium pillow v4.8
CVE-2016-9189 medium pillow v4.8
CVE-2017-5992 medium openpyxl v4.8
CVE-2018-19787 medium lxml v4.8
CVE-2020-27783 medium lxml v4.8
CVE-2020-35655 medium pillow v4.8
CVE-2021-25292 medium pillow v4.8
CVE-2021-28678 medium pillow v4.8
CVE-2021-28957 medium lxml v4.8
CVE-2021-33430 medium numpy v4.8
CVE-2021-34141 medium numpy v4.8
CVE-2021-41496 medium numpy v4.8
CVE-2021-43818 medium lxml v4.8
CVE-2022-22815 medium pillow v4.8
CVE-2022-22816 medium pillow v4.8
CVE-2022-2309 medium lxml v4.8
CVE-2023-2800 medium transformers v4.8
CVE-2023-32681 medium requests v4.8
CVE-2024-12217 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-12720 medium transformers v4.8
CVE-2024-35195 medium requests v4.8
CVE-2024-47081 medium requests v4.8
CVE-2024-47164 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47165 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47166 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47167 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47868 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47869 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-47872 medium gradio 4.37.2+custom.20 v4.8
CVE-2024-48052 medium gradio 4.37.2+custom.20 v4.8
CVE-2025-1194 medium transformers v4.8
CVE-2025-2099 medium transformers v4.8
CVE-2025-3262 medium transformers v4.8
CVE-2025-3263 medium transformers v4.8
CVE-2025-3264 medium transformers v4.8
CVE-2025-3933 medium transformers v4.8
CVE-2025-48889 medium gradio 4.37.2+custom.20 v4.8
CVE-2025-5197 medium transformers v4.8
CVE-2025-6051 medium transformers v4.8
CVE-2025-6638 medium transformers v4.8
CVE-2025-6921 medium transformers v4.8
CVE-2025-69534 medium markdown v4.8
CVE-2026-1839 medium transformers v4.8
CVE-2026-25645 medium requests v4.8
CVE-2026-28415 medium gradio 4.37.2+custom.20 v4.8
CVE-2026-3029 medium pymupdf v4.8
CVE-2026-33230 medium nltk v4.8
CVE-2026-42308 medium pillow v4.8
CVE-2026-42309 medium pillow v4.8
CVE-2026-42310 medium pillow v4.8
GHSA-jgpv-4h4c-xhw3 medium pillow v4.8
GHSA-rf74-v2fm-23pw medium nltk v4.8
CVE-2023-24816 low ipython v4.8
CVE-2024-34062 low tqdm v4.8
CVE-2024-3568 low transformers v4.8
CVE-2024-47168 low gradio 4.37.2+custom.20 v4.8
CVE-2025-3777 low transformers v4.8
CVE-2026-27167 low gradio 4.37.2+custom.20 v4.8
GHSA-26jh-r8g2-6fpr low gradio 4.37.2+custom.20 v4.8
GHSA-4fx9-vc88-q2xc low pillow v4.8
CVE-2020-13091 unknown pandas v4.8
CVE-2023-25399 unknown scipy v4.8
CVE-2023-29824 unknown scipy v4.8
MAL-2025-6794 unknown num2words v4.8
OSV-2022-1074 unknown pillow v4.8
OSV-2022-715 unknown pillow v4.8
PYSEC-2022-252 unknown deep-translator 1.9.2 v4.8
PYSEC-2023-175 unknown pillow v4.8
PYSEC-2025-72 unknown num2words v4.8

Showing 173 of 173

Beta — feedback welcome: [email protected]