Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-28414 Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+CVE-2026-28416 Gradio: Gradio: Server-Side Request Forgery allows access to internal services via malicious Space loadingCVE-2025-48889 Gradio Allows Unauthorized File Copy via Path ManipulationCVE-2026-28415 Gradio: Gradio: Open Redirect vulnerability allows redirection to arbitrary external URLs.CVE-2026-28277 LangGraph checkpoint loading has unsafe msgpack deserializationCVE-2026-27167 Gradio: Gradio: Information disclosure due to hardcoded secret in session cookie signing, allowing remote attackers to steal Hugging Face tokens.Your dependencies cross-checked against the OSV vulnerability database.
GHSA-63hf-3vf5-4wqf AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypassPYSEC-2026-373 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsPYSEC-2026-457 Arbitrary Code Execution in PillowPYSEC-2025-119 Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrarPYSEC-2026-63 Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically PYSEC-2026-64 Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enPYSEC-2026-65 Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query paramPYSEC-2026-66 Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP rGHSA-pc6w-59fv-rh23 Langchain Community Vulnerable to XML External Entity (XXE) AttacksPYSEC-2026-83 LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgPYSEC-2026-237 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicatGHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without LimitGHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented LinesGHSA-6jhg-hg63-jvvf AIOHTTP vulnerable to denial of service through large payloadsGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-8495-4g3g-x7pr aiohttp allows request smuggling due to incorrect parsing of chunk extensionsGHSA-966j-vmvw-g2g9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirectGHSA-c427-h43c-vf67 AIOHTTP accepts duplicate Host headersGHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During CleanupGHSA-g84x-mcqj-x9qq AIOHTTP vulnerable to DoS through chunked messagesGHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookiesGHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect ChallengesGHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted DataGHSA-jj3x-wxrx-4x23 AIOHTTP vulnerable to DoS when bypassing assertsGHSA-m5qp-6w8w-w647 AIOHTTP has a Multipart Header Size BypassCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.