Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-24813 Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Exe ...CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue ...CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints ...CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserializationCVE-2025-24813 Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Exe ...CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue ...CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints ...CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserializationCVE-2024-25710 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...CVE-2024-26308 Allocation of Resources Without Limits or Throttling vulnerability in ...CVE-2025-31672 Improper Input Validation vulnerability in Apache POI. The issue affec ...CVE-2025-41249 The Spring Framework annotation detection mechanism may not correctly ...CVE-2024-12798 ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...CVE-2025-11226 QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processingCVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse methodCVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)CVE-2024-25710 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...CVE-2024-26308 Allocation of Resources Without Limits or Throttling vulnerability in ...CVE-2025-31672 Improper Input Validation vulnerability in Apache POI. The issue affec ...CVE-2024-34750 Improper Handling of Exceptional Conditions, Uncontrolled Resource Con ...CVE-2024-50379 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during ...CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apa ...CVE-2025-48988 Allocation of Resources Without Limits or Throttling vulnerability in ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly appliedGHSA-83qj-6fr2-vhqg Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUTGHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown userGHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validatedGHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methodsGHSA-jmp9-x22r-554x Spring Framework annotation detection mechanism may result in improper authorizationGHSA-h46c-h94j-95f3 jackson-core can throw a StackoverflowError when processing deeply nested dataGHSA-493p-pfq6-5258 json-smart Uncontrolled Recursion vulnerabilityGHSA-25xr-qj8w-c4vf Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streamsGHSA-27hp-xhwr-wr2m Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilityGHSA-563x-q5rq-57qp Apache Tomcat has an HTTP Request/Response Smuggling vulnerabilityGHSA-5j33-cvvr-w245 Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilityGHSA-5mp6-jrq3-r938 Apache Tomcat: LockOutRealm treats user names as case-sensitiveGHSA-fv25-8xcx-gqjc Apache Tomcat - WebSocket authentication header exposureGHSA-gqp3-2cvr-x8m3 Apache Tomcat Improper Resource Shutdown or Release vulnerabilityGHSA-gx5v-xp9w-j4cg Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handlingGHSA-h3gc-qfqq-6h8f Apache Tomcat - DoS in multipart uploadGHSA-mgp5-rv84-w37q Apache Tomcat has an Improper Input Validation vulnerabilityGHSA-rv64-5gf8-9qq8 Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValveGHSA-wm9w-rjj3-j356 Apache Tomcat - Denial of ServiceGHSA-wmwf-9ccg-fff5 Apache Tomcat Vulnerable to Relative Path TraversalGHSA-wr62-c79q-cv37 Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limitsGHSA-x4m4-345f-5h5g Apache Tomcat vulnerable to Insertion of Sensitive Information into Log FileGHSA-rqfh-9r24-8c9r AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertionGHSA-rc42-6c7j-7h5r Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposedCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.4/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 8 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/8 approved changesets -- score normalized to 0scorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: project is archivedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissionsscorecard-Vulnerabilities Vulnerabilities scored 0: 71 existing vulnerabilities detected