Skip to content
Tools / WeKnora / Security

Security Deep Dive

WeKnora

Security posture and CVE patch evidence from tracked releases.

Back to Tool

4 critical dependency CVEs affects v0.6.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 8d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 22d ago
Release cadence: weekly Present
8d median over recent releases Release history
Latest release: 13d ago
Maintainer active Present
Recent commit activity Repository
Last commit: today
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 13d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 13d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 13d ago
3.8/10 Security Score
Dependency Exposure 99 transitive dependency CVEs found in the latest SBOM. 4 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

Up to date

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

⚠ No direct scan — 4c/34h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 84.7/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

1.5

10%

supply chain risk: 84.7 transitive cves: 4c/34h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 0d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 84.7/100
4 Transitive critical CVEs
0 KEV-transitive CVEs
65% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

917 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

4

High

34

Medium

43

Low

7

Unknown

11

Still affecting latest (2) All (99)
Critical 4 High 34 Medium 43 Low 7 Unknown 11
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2025-14009 critical nltk 3.9.2 v0.5.2
CVE-2025-63389 critical github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2026-33186 critical google.golang.org/grpc v1.78.0 v0.5.2
CVE-2026-33816 critical github.com/jackc/pgx/v5 v5.7.2 v0.5.2
CVE-2023-30533 high xlsx 0.20.2 v0.5.2
CVE-2024-22363 high xlsx 0.20.2 v0.5.2
CVE-2025-53365 high mcp 1.0.0 v0.5.2
CVE-2025-53366 high mcp 1.0.0 v0.5.2
CVE-2025-59530 high github.com/quic-go/quic-go v0.54.0 v0.5.2
CVE-2025-64512 high pdfminer-six 20250506 v0.5.2
CVE-2025-66416 high mcp 1.0.0 v0.5.2
CVE-2025-66418 high urllib3 2.5.0 v0.5.2
CVE-2025-66471 high urllib3 2.5.0 v0.5.2
CVE-2025-67818 high github.com/weaviate/weaviate v1.33.0-rc.1 v0.5.2
CVE-2025-67819 high github.com/weaviate/weaviate v1.33.0-rc.1 v0.5.2
CVE-2025-70559 high pdfminer-six 20250506 v0.5.2
CVE-2026-0846 high nltk 3.9.2 v0.5.2
CVE-2026-0847 high nltk 3.9.2 v0.5.2
CVE-2026-0994 high protobuf 6.33.0 v0.5.2
CVE-2026-21441 high urllib3 2.5.0 v0.5.2
CVE-2026-24051 high go.opentelemetry.io/otel/sdk v1.38.0 v0.5.2
CVE-2026-25990 high pillow 12.0.0 v0.5.2
CVE-2026-26007 high cryptography 46.0.3 v0.5.2
CVE-2026-29181 high go.opentelemetry.io/otel v1.38.0 v0.5.2
CVE-2026-32285 high github.com/buger/jsonparser v1.1.1 v0.5.2
CVE-2026-33231 high nltk 3.9.2 v0.5.2
CVE-2026-33236 high nltk 3.9.2 v0.5.2
CVE-2026-39883 high go.opentelemetry.io/otel/sdk v1.38.0 v0.5.2
CVE-2026-40192 high pillow 12.0.0 v0.5.2
CVE-2026-41066 high lxml 6.0.2 v0.5.2
CVE-2026-42033 high axios 1.15.0 v0.5.2
CVE-2026-42035 high axios 1.15.0 v0.5.2
CVE-2026-42043 high axios 1.15.0 v0.5.2
CVE-2026-42264 high axios 1.15.0 v0.5.2
CVE-2026-42311 high pillow 12.0.0 v0.5.2
CVE-2026-6321 high fast-uri 3.1.0 v0.5.2
CVE-2026-6322 high fast-uri 3.1.0 v0.5.2
CVE-2026-7482 high github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2023-36464 medium pypdf2 3.0.1 v0.5.2
CVE-2024-35195 medium requests 2.31.0 v0.5.2
CVE-2024-47081 medium requests 2.31.0 v0.5.2
CVE-2025-64702 medium github.com/quic-go/quic-go v0.54.0 v0.5.2
CVE-2025-66019 medium pypdf 6.1.3 v0.5.2
CVE-2025-66034 medium fonttools 4.60.1 v0.5.2
CVE-2026-24688 medium pypdf 6.1.3 v0.5.2
CVE-2026-25645 medium requests 2.32.5 v0.5.2
CVE-2026-27024 medium pypdf 6.1.3 v0.5.2
CVE-2026-27025 medium pypdf 6.1.3 v0.5.2
CVE-2026-27026 medium pypdf 6.1.3 v0.5.2
CVE-2026-27888 medium pypdf 6.1.3 v0.5.2
CVE-2026-28348 medium lxml-html-clean 0.4.3 v0.5.2
CVE-2026-28350 medium lxml-html-clean 0.4.3 v0.5.2
CVE-2026-28351 medium pypdf 6.1.3 v0.5.2
CVE-2026-28684 medium python-dotenv 1.2.1 v0.5.2
CVE-2026-28804 medium pypdf 6.1.3 v0.5.2
CVE-2026-31826 medium pypdf 6.1.3 v0.5.2
CVE-2026-33123 medium pypdf 6.1.3 v0.5.2
CVE-2026-33230 medium nltk 3.9.2 v0.5.2
CVE-2026-33699 medium pypdf 6.1.3 v0.5.2
CVE-2026-39892 medium cryptography 46.0.3 v0.5.2
CVE-2026-40260 medium pypdf 6.1.3 v0.5.2
CVE-2026-41168 medium pypdf 6.1.3 v0.5.2
CVE-2026-41305 medium postcss 8.5.6 v0.5.2
CVE-2026-41312 medium pypdf 6.1.3 v0.5.2
CVE-2026-41313 medium pypdf 6.1.3 v0.5.2
CVE-2026-41314 medium pypdf 6.1.3 v0.5.2
CVE-2026-41907 medium uuid 11.1.0 v0.5.2
CVE-2026-42034 medium axios 1.15.0 v0.5.2
CVE-2026-42036 medium axios 1.15.0 v0.5.2
CVE-2026-42037 medium axios 1.15.0 v0.5.2
CVE-2026-42038 medium axios 1.15.0 v0.5.2
CVE-2026-42039 medium axios 1.15.0 v0.5.2
CVE-2026-42041 medium axios 1.15.0 v0.5.2
CVE-2026-42042 medium axios 1.15.0 v0.5.2
CVE-2026-42044 medium axios 1.15.0 v0.5.2
CVE-2026-42308 medium pillow 12.0.0 v0.5.2
CVE-2026-42309 medium pillow 12.0.0 v0.5.2
CVE-2026-42310 medium pillow 12.0.0 v0.5.2
GHSA-rf74-v2fm-23pw medium nltk 3.9.2 v0.5.2
GHSA-xmrv-pmrh-hhx2 medium github.com/aws/aws-sdk-go-v2/service/s3 v1.83.0 v0.5.2
GHSA-xmrv-pmrh-hhx2 medium github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.6 v0.5.2
CVE-2026-22690 low pypdf 6.1.3 v0.5.2
CVE-2026-22691 low pypdf 6.1.3 v0.5.2
CVE-2026-27628 low pypdf 6.1.3 v0.5.2
CVE-2026-34073 low cryptography 46.0.3 v0.5.2
CVE-2026-41889 low github.com/jackc/pgx/v5 v5.7.2 v0.5.2
CVE-2026-42040 low axios 1.15.0 v0.5.2
CVE-2026-7020 low github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2024-12055 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2024-12886 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2024-8063 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2025-0312 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2025-0315 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2025-0317 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2025-1975 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2025-51471 unknown github.com/ollama/ollama v0.11.4 v0.5.2
CVE-2026-27141 unknown golang.org/x/net v0.50.0 v0.5.2
CVE-2026-33814 unknown golang.org/x/net v0.50.0 v0.5.2
CVE-2026-33815 unknown github.com/jackc/pgx/v5 v5.7.2 v0.5.2

Showing 99 of 99

Beta — feedback welcome: [email protected]