Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-54906 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Synchronization flaw in ReadWriteLock allows unauthorized lock release and denial of serviceCVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via large scientific notation stringsCVE-2026-33169 rails: rails-activesupport: Active Support: Denial of Service via crafted long digit stringsCVE-2026-33170 Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%CVE-2026-35611 addressable: Addressable: Denial of Service via crafted URI templatesCVE-2026-54904 concurrent-ruby: rubygem-concurrent-ruby: concurrent-ruby: Denial of Service due to infinite loop in AtomicReference#updateCVE-2026-54905 concurrent-ruby: Concurrent-ruby: Incorrect write lock granting leading to broken mutual exclusionCVE-2024-49761 rexml: REXML ReDoS vulnerabilityCVE-2024-35176 REXML: DoS parsing an XML with many `<`s in an attribute valueCVE-2024-39908 rexml: DoS vulnerability in REXMLCVE-2024-41123 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace character, >] and ]>CVE-2024-41946 rexml: DoS vulnerability in REXMLCVE-2024-43398 rexml: DoS vulnerability in REXMLYour dependencies cross-checked against the OSV vulnerability database.
GHSA-2j26-frm8-cmj9 Rails Active Support has a possible DoS vulnerability in its number helpersGHSA-89vf-4333-qx8v Rails Active Support has a possible XSS vulnerability in SafeBuffer#%GHSA-cg4j-q9v8-6v38 Rails Active Support has a possible ReDoS vulnerability in number_to_delimitedGHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templatesGHSA-h8w8-99g7-qmvj Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`GHSA-2rxp-v6pw-ch6m REXML ReDoS vulnerabilityGHSA-4xqq-m2hx-25v8 REXML denial of service vulnerabilityGHSA-5866-49gr-22v4 REXML DoS vulnerabilityGHSA-r55c-59qm-vjw6 REXML DoS vulnerabilityGHSA-vg3r-rm7w-2xgh REXML contains a denial of service vulnerabilityGHSA-vmwr-mc7x-5vc3 REXML denial of service vulnerabilityGHSA-6wx8-w4f5-wwcr Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruptionGHSA-wv3x-4vxv-whpp Concurrent Ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivityCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.5/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.