Tools / windmill / Security

Security Deep Dive

windmill

Security posture and CVE patch evidence from tracked releases.

Back to Tool

12 critical dependency CVEs affects v1.677.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA ✓ SBOM ✗ Security policy Weekly cadence · 0d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present

Signed releases Unknown

Latest release artifact signature Latest release

—

SLSA provenance Unknown

Attestation predicate level Latest release

—

SBOM published Present

GitHub SBOM API Latest release

Last verified: 28d ago

SECURITY.md Absent

GitHub repository metadata Repository policy

Checked: 17d ago

Release cadence: weekly Present

0d median over recent releases Release history

Latest release: 1mo ago

Maintainer active Present

Recent commit activity Repository

Last commit: 3d ago

Checksums (SHA256SUMS) Not active yet

SHA256SUMS or equivalent Release asset

Latest release: 1mo ago

GitHub Actions attestation Not active yet

actions/attest-build-provenance Workflow file

Latest release: 1mo ago

Signing assets Not active yet

.sig, .crt, cosign.pub, or similar Release asset

Latest release: 1mo ago

3.8/10 Security Score

Pending CVE Patch Speed

Open CVEs Open CVEs detected for latest version.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

3d stale

scorecard

2.00 / 4.0

⚠ Estimated — not yet collected

cve health

0.00 / 2.5

Open CVEs detected

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 100.0/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: open cve scan: available

Release responsiveness

release responsiveness

10.0

patch speed days: no_history

Dependency exposure

dependency exposure

0.0

10%

supply chain risk: 100.0 transitive cves: 12c/68h

Provenance trust

provenance trust

5.0

40%

scorecard score: estimated openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 3d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none

How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 100.0/100

12 Transitive critical CVEs

0 KEV-transitive CVEs

62% Dependency freshness

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

3584 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

High

Medium

Low

Unknown

Still affecting latest (122) All (212)

Critical 12 High 68 Medium 78 Low 24 Unknown 30

CVE	Severity	KEV	Dependency	Affected version	Cleared in release
CVE-2012-0805	critical	—	sqlalchemy	—	—
CVE-2017-18342	critical	—	pyyaml	—	—
CVE-2018-20060	critical	—	urllib3	—	—
CVE-2019-20477	critical	—	pyyaml	—	—
CVE-2019-6446	critical	—	numpy	—	—
CVE-2019-7164	critical	—	sqlalchemy	—	—
CVE-2019-7548	critical	—	sqlalchemy	—	—
CVE-2020-14343	critical	—	pyyaml	—	—
CVE-2020-1747	critical	—	pyyaml	—	—
CVE-2025-14009	critical	—	nltk	—	—
CVE-2025-43859	critical	—	h11	0.14.0	—
CVE-2026-33937	critical	—	handlebars	4.7.8	—
CVE-2014-1858	high	—	numpy	—	—
CVE-2014-1859	high	—	numpy	—	—
CVE-2016-9243	high	—	cryptography	—	—
CVE-2017-11424	high	—	pyjwt	—	—
CVE-2017-12852	high	—	numpy	—	—
CVE-2018-10903	high	—	cryptography	—	—
CVE-2018-18074	high	—	requests	—	—
CVE-2019-11324	high	—	urllib3	—	—
CVE-2019-14751	high	—	nltk	—	—
CVE-2019-2435	high	—	mysql-connector-python	—	—
CVE-2020-13757	high	—	rsa	—	—
CVE-2020-25658	high	—	rsa	—	—
CVE-2020-25659	high	—	cryptography	—	—
CVE-2020-36242	high	—	cryptography	—	—
CVE-2020-7212	high	—	urllib3	—	—
CVE-2021-33503	high	—	urllib3	—	—
CVE-2021-3828	high	—	nltk	—	—
CVE-2021-3842	high	—	nltk	—	—
CVE-2021-41495	high	—	numpy	—	—
CVE-2021-43854	high	—	nltk	—	—
CVE-2022-29217	high	—	pyjwt	—	—
CVE-2023-0286	high	—	cryptography	—	—
CVE-2023-37920	high	—	certifi	—	—
CVE-2023-38325	high	—	cryptography	—	—
CVE-2023-43804	high	—	urllib3	—	—
CVE-2023-50782	high	—	cryptography	—	—
CVE-2024-21272	high	—	mysql-connector-python	—	—
CVE-2024-26130	high	—	cryptography	—	—
CVE-2024-39705	high	—	nltk	—	—
CVE-2025-64756	high	—	glob	10.4.5	—
CVE-2025-66418	high	—	urllib3	—	—
CVE-2025-66471	high	—	urllib3	—	—
CVE-2026-0846	high	—	nltk	—	—
CVE-2026-0847	high	—	nltk	—	—
CVE-2026-21441	high	—	urllib3	—	—
CVE-2026-25547	high	—	@isaacs/brace-expansion	5.0.0	—
CVE-2026-26007	high	—	cryptography	—	—
CVE-2026-26996	high	—	minimatch	5.1.6	—
CVE-2026-27903	high	—	minimatch	10.2.2	—
CVE-2026-27904	high	—	minimatch	10.2.2	—
CVE-2026-29074	high	—	svgo	3.3.2	—
CVE-2026-31812	high	—	quinn-proto	0.11.13	—
CVE-2026-32141	high	—	flatted	3.3.3	—
CVE-2026-32597	high	—	pyjwt	—	—
CVE-2026-33228	high	—	flatted	3.3.3	—
CVE-2026-33231	high	—	nltk	—	—
CVE-2026-33236	high	—	nltk	—	—
CVE-2026-33671	high	—	picomatch	4.0.3	—
CVE-2026-33938	high	—	handlebars	4.7.8	—
CVE-2026-33939	high	—	handlebars	4.7.8	—
CVE-2026-33940	high	—	handlebars	4.7.8	—
CVE-2026-33941	high	—	handlebars	4.7.8	—
CVE-2026-35209	high	—	defu	6.1.4	—
CVE-2026-39363	high	—	vite	8.0.0	—
CVE-2026-39364	high	—	vite	8.0.0	—
CVE-2026-40073	high	—	@sveltejs/kit	2.53.4	—
CVE-2026-42215	high	—	gitpython	3.1.43	—
CVE-2026-42284	high	—	gitpython	3.1.43	—
CVE-2026-42327	high	—	openssl	0.10.78	—
CVE-2026-42559	high	—	rmcp	0.15.0	—
CVE-2026-44243	high	—	gitpython	3.1.43	—
CVE-2026-44244	high	—	gitpython	3.1.43	—
CVE-2026-4800	high	—	lodash	4.17.21	—
CVE-2026-6321	high	—	fast-uri	3.1.0	—
CVE-2026-6322	high	—	fast-uri	3.1.0	—
GHSA-3v94-mw7p-v465	high	—	hickory-proto	0.25.0-alpha.5	—
GHSA-82j2-j2ch-gfr8	high	—	rustls-webpki	0.101.7	—
GHSA-gfxp-f68g-8x78	high	—	libyml	0.0.5	—
CVE-2013-2132	medium	—	pymongo	—	—
CVE-2014-1829	medium	—	requests	—	—
CVE-2014-1830	medium	—	requests	—	—
CVE-2015-2296	medium	—	requests	—	—
CVE-2016-1494	medium	—	rsa	—	—
CVE-2016-9015	medium	—	urllib3	—	—
CVE-2018-25091	medium	—	urllib3	—	—
CVE-2019-11236	medium	—	urllib3	—	—
CVE-2020-26137	medium	—	urllib3	—	—
CVE-2021-28363	medium	—	urllib3	—	—
CVE-2021-3163	medium	—	quill	1.3.7	—
CVE-2021-33430	medium	—	numpy	—	—
CVE-2021-34141	medium	—	numpy	—	—
CVE-2021-41496	medium	—	numpy	—	—
CVE-2022-23491	medium	—	certifi	—	—
CVE-2023-23931	medium	—	cryptography	—	—
CVE-2023-32681	medium	—	requests	—	—
CVE-2023-45803	medium	—	urllib3	—	—
CVE-2023-49083	medium	—	cryptography	—	—
CVE-2023-49092	medium	—	rsa	0.9.10	—
CVE-2024-0727	medium	—	cryptography	—	—
CVE-2024-35195	medium	—	requests	—	—
CVE-2024-3651	medium	—	idna	3.6	—
CVE-2024-37891	medium	—	urllib3	—	—
CVE-2024-47081	medium	—	requests	—	—
CVE-2024-5629	medium	—	pymongo	—	—
CVE-2025-13465	medium	—	lodash	4.17.21	—
CVE-2025-15284	medium	—	qs	6.14.0	—
CVE-2025-4432	medium	—	ring	0.16.20	—
CVE-2025-48888	medium	—	deno_runtime	0.198.0	—
CVE-2025-48934	medium	—	deno_runtime	0.198.0	—
CVE-2025-50181	medium	—	urllib3	—	—
CVE-2025-50182	medium	—	urllib3	—	—
CVE-2025-64718	medium	—	js-yaml	3.14.1	—
CVE-2025-66400	medium	—	mdast-util-to-hast	13.2.0	—
CVE-2025-69873	medium	—	ajv	8.17.1	—
CVE-2025-71176	medium	—	pytest	9.0.2	—
CVE-2026-0540	medium	—	dompurify	3.3.1	—
CVE-2026-25537	medium	—	jsonwebtoken	9.3.1	—
CVE-2026-25541	medium	—	bytes	1.10.1	—
CVE-2026-25645	medium	—	requests	—	—
CVE-2026-25727	medium	—	time	0.3.41	—
CVE-2026-27901	medium	—	svelte	5.53.2	—
CVE-2026-27902	medium	—	svelte	5.53.2	—
CVE-2026-28684	medium	—	python-dotenv	1.2.1	—
CVE-2026-2950	medium	—	lodash	4.17.21	—
CVE-2026-30226	medium	—	devalue	5.6.3	—
CVE-2026-32766	medium	—	astral-tokio-tar	0.5.6	—
CVE-2026-33055	medium	—	tar	0.4.44	—
CVE-2026-33056	medium	—	tar	0.4.44	—
CVE-2026-33230	medium	—	nltk	—	—
CVE-2026-33532	medium	—	yaml	2.8.2	—
CVE-2026-33672	medium	—	picomatch	4.0.3	—
CVE-2026-33750	medium	—	brace-expansion	5.0.2	—
CVE-2026-33916	medium	—	handlebars	4.7.8	—
CVE-2026-39365	medium	—	vite	8.0.0	—
CVE-2026-39892	medium	—	cryptography	—	—
CVE-2026-40074	medium	—	@sveltejs/kit	2.53.4	—
CVE-2026-41238	medium	—	dompurify	3.3.1	—
CVE-2026-41239	medium	—	dompurify	3.3.1	—
CVE-2026-41240	medium	—	dompurify	3.3.1	—
CVE-2026-41305	medium	—	postcss	8.5.8	—
CVE-2026-43868	medium	—	thrift	0.17.0	—
CVE-2026-44662	medium	—	openssl	0.10.78	—
CVE-2026-5758	medium	—	protocol-buffers-schema	3.6.0	—
GHSA-39hc-v87j-747x	medium	—	cryptography	—	—
GHSA-39q2-94rc-95cp	medium	—	dompurify	3.3.1	—
GHSA-747p-wmpv-9c78	medium	—	awscli	—	—
GHSA-7rx3-28cr-v5wh	medium	—	handlebars	4.7.8	—
GHSA-cj63-jhhr-wcxv	medium	—	dompurify	3.3.1	—
GHSA-cjmm-f4jc-qw8r	medium	—	dompurify	3.3.1	—
GHSA-fp55-jw48-c537	medium	—	astral-tokio-tar	0.5.6	—
GHSA-h4gh-qq45-vh27	medium	—	cryptography	—	—
GHSA-h8r8-wccr-v5f2	medium	—	dompurify	3.3.1	—
GHSA-hhw4-xg65-fp2x	medium	—	serde_yml	0.0.12	—
GHSA-pwjx-qhcg-rvj4	medium	—	rustls-webpki	0.102.8	—
GHSA-q2qq-hmj6-3wpp	medium	—	hickory-proto	0.25.0-alpha.5	—
GHSA-rf74-v2fm-23pw	medium	—	nltk	—	—
CVE-2017-3590	low	—	mysql-connector-python	—	—
CVE-2024-12797	low	—	cryptography	—	—
CVE-2024-39689	low	—	certifi	—	—
CVE-2024-47764	low	—	cookie	0.6.0	—
CVE-2024-53861	low	—	pyjwt	—	—
CVE-2026-2391	low	—	qs	6.14.0	—
CVE-2026-24001	low	—	diff	7.0.0	—
CVE-2026-34073	low	—	cryptography	—	—
CVE-2026-4539	low	—	pygments	2.19.2	—
GHSA-442j-39wm-28r2	low	—	handlebars	4.7.8	—
GHSA-5cpq-8wj7-hf2v	low	—	cryptography	—	—
GHSA-965h-392x-2mh5	low	—	rustls-webpki	0.101.7	—
GHSA-cq8v-f236-94qc	low	—	rand	0.9.2	—
GHSA-g59m-gf8j-gjf5	low	—	aws-sdk-sqs	1.77.0	—
GHSA-g59m-gf8j-gjf5	low	—	aws-sdk-config	1.68.0	—
GHSA-g59m-gf8j-gjf5	low	—	aws-sdk-sts	1.79.0	—
GHSA-gmx7-gr5q-85w5	low	—	magic-crypt	3.1.13	—
GHSA-j965-2qgj-vjmq	low	—	aws-sdk	2.1693.0	—
GHSA-jm77-qphf-c4w8	low	—	cryptography	—	—
GHSA-mwv9-gp5h-frr4	low	—	devalue	5.6.3	—
GHSA-rhfx-m35p-ff5j	low	—	lru	0.12.5	—
GHSA-v8gr-m533-ghj9	low	—	cryptography	—	—
GHSA-xgp8-3hg3-c2mh	low	—	rustls-webpki	0.101.7	—
GHSA-xx64-wwv2-hcqq	low	—	astral-tokio-tar	0.5.6	—
CVE-2020-13091	unknown	—	pandas	—	—
RUSTSEC-2021-0141	unknown	—	dotenv	0.15.0	—
RUSTSEC-2024-0320	unknown	—	yaml-rust	0.4.5	—
RUSTSEC-2024-0370	unknown	—	proc-macro-error	1.0.4	—
RUSTSEC-2024-0430	unknown	—	magic-crypt	3.1.13	—
RUSTSEC-2024-0436	unknown	—	paste	1.0.15	—
RUSTSEC-2025-0010	unknown	—	ring	0.16.20	—
RUSTSEC-2025-0056	unknown	—	adler	1.0.2	—
RUSTSEC-2025-0067	unknown	—	libyml	0.0.5	—
RUSTSEC-2025-0068	unknown	—	serde_yml	0.0.12	—
RUSTSEC-2025-0075	unknown	—	unic-char-range	0.9.0	—
RUSTSEC-2025-0080	unknown	—	unic-common	0.9.0	—
RUSTSEC-2025-0081	unknown	—	unic-char-property	0.9.0	—
RUSTSEC-2025-0090	unknown	—	unic-emoji-char	0.9.0	—
RUSTSEC-2025-0094	unknown	—	unic-ucd-category	0.9.0	—
RUSTSEC-2025-0098	unknown	—	unic-ucd-version	0.9.0	—
RUSTSEC-2025-0100	unknown	—	unic-ucd-ident	0.9.0	—
RUSTSEC-2025-0119	unknown	—	number_prefix	0.4.0	—
RUSTSEC-2025-0134	unknown	—	rustls-pemfile	1.0.4	—
RUSTSEC-2025-0141	unknown	—	bincode	1.3.3	—
RUSTSEC-2026-0002	unknown	—	lru	0.12.5	—
RUSTSEC-2026-0049	unknown	—	rustls-webpki	0.102.8	—
RUSTSEC-2026-0097	unknown	—	rand	0.9.2	—
RUSTSEC-2026-0098	unknown	—	rustls-webpki	0.101.7	—
RUSTSEC-2026-0099	unknown	—	rustls-webpki	0.101.7	—
RUSTSEC-2026-0104	unknown	—	rustls-webpki	0.101.7	—
RUSTSEC-2026-0112	unknown	—	astral-tokio-tar	0.5.6	—
RUSTSEC-2026-0113	unknown	—	astral-tokio-tar	0.5.6	—
RUSTSEC-2026-0118	unknown	—	hickory-proto	0.25.0-alpha.5	—
RUSTSEC-2026-0119	unknown	—	hickory-proto	0.25.0-alpha.5	—

Showing 212 of 212