gitsafehub
github.com/code100x/cms ↗

code100x/cms

scanned 2026-05-30 · git 9f3c8f4
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies112Known OSS vulnerabilities135Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 112 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-7783 form-data: Unsafe random function in form-data
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
  • Serious CVE-2025-29927 nextjs: Authorization Bypass in Next.js Middleware
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-29927). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27789 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34601 xmldom: xmldom: XML structure injection via CDATA terminator
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-34601). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41672 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-41672). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41673 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-41673). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injection
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-41674). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41675 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-41675). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69873 ajv: ReDoS via $data reference
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27152 axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-27152). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58754 axios: Axios DoS via lack of data size check
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-58754). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25639 axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-25639). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42264 Axios is a promise based HTTP client for the browser and Node.js. From ...
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42264). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44492 axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44494 axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44494). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44495 axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalation
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42037). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypass
    pnpm-lock.yaml
    A package you depend on has a known security hole (CVE-2026-42038). Fix: Update that package to its patched version.
… 87 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 135 found · 3 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-9crc-q9x8-hgqq Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-2v35-w6hq-6mfw xmldom: Uncontrolled recursion in XML serialization leads to DoS
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serialization
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serialization
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serialization
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:true
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
    /workdirs/scan-a5dd43e3-f93b-4f2a-a65e-64a907447046/pnpm-lock.yaml
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 110 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.1/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 14 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 122 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.