gitsafehub
github.com/chaitin/xray ↗

chaitin/xray

scanned 2026-06-30 · git aee9f9c
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets4Vulnerable dependencies16Known OSS vulnerabilities201Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 4 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    pocs/couchdb-cve-2017-12635.yml:21
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    pocs/dlink-dsl-2888a-rce.yml:19
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    pocs/kingsoft-v8-default-password.yml:10
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    pocs/sangfor-edr-cssp-rce.yml:9
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 16 found · 3 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2019-20477). Fix: Update that package to its patched version.
  • Serious CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2020-14343). Fix: Update that package to its patched version.
  • Serious CVE-2020-1747 PyYAML: arbitrary command execution through python/object/new when FullLoader is used
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2020-1747). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-4068 braces: fails to limit the number of characters it can handle
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2024-4068). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-24785 Moment.js: Path traversal in moment.locale
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-24785). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-31129). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-30861 flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2023-30861). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization header
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2023-32681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-35195 requests: subsequent requests to the same host ignore cert verification
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2024-35195). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-47081 requests: Requests vulnerable to .netrc credentials leak via malicious URLs
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47081). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25645 requests: Requests: Security bypass due to predictable temporary file creation
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2026-25645). Fix: Update that package to its patched version.
  • Minor CVE-2024-9506 vue: Regular Expression Denial of Service (ReDoS)
    report/yarn.lock
    A package you depend on has a known security hole (CVE-2024-9506). Fix: Update that package to its patched version.
  • Minor CVE-2026-27205 flask: Flask: Information disclosure via improper caching of session data
    webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2026-27205). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 201 found · 18 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2023-45133). Fix: Update that package to its patched version.
  • Serious GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9287). Fix: Update that package to its patched version.
  • Serious GHSA-phwq-j96m-2c2q ejs template injection vulnerability
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-29078). Fix: Update that package to its patched version.
  • Serious GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-1650). Fix: Update that package to its patched version.
  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3918). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-37601). Fix: Update that package to its patched version.
  • Serious GHSA-xvch-5gv4-984h Prototype Pollution in minimist
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2021-44906). Fix: Update that package to its patched version.
  • Serious GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6545). Fix: Update that package to its patched version.
  • Serious GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-6547). Fix: Update that package to its patched version.
  • Serious GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-9288). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Serious GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2022-0686). Fix: Update that package to its patched version.
  • Serious PYSEC-2020-176 PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue ex
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2019-20477). Fix: Update that package to its patched version.
  • Serious PYSEC-2020-96 A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method o
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2020-1747). Fix: Update that package to its patched version.
  • Serious PYSEC-2021-142 A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/webhook/requirements.txt
    A package you depend on has a known security hole (CVE-2020-14343). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-whgm-jr23-g3j9 Uncontrolled Resource Consumption in ansi-html
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2021-23424). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
  • Worth fixing GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex
    /workdirs/scan-9b2bbc73-0f0b-48ef-acf6-6643b82ff7c9/report/yarn.lock
    A package you depend on has a known security hole (CVE-2021-3807). Fix: Update that package to its patched version.
… 176 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.