gitsafehub
github.com/coreui/coreui-free-bootstrap-admin-template ↗

coreui/coreui-free-bootstrap-admin-template

scanned 2026-06-30 · git 487cd57
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies6Known OSS vulnerabilities32Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 6 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
    package-lock.json
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 32 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-29063). Fix: Update that package to its patched version.
  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2024-21538). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q3j6-qgpj-74h6 fast-uri vulnerable to path traversal via percent-encoded dot segments
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6321). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v39h-62p7-jpjc fast-uri vulnerable to host confusion via percent-encoded authority delimiters
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6322). Fix: Update that package to its patched version.
  • Worth fixing GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-32141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33228). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xxjr-mmjv-4gpg Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f23m-r3pf-42rh lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2950). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key names
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-4800). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xxjr-mmjv-4gpg Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2025-13465). Fix: Update that package to its patched version.
  • Worth fixing GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27904). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-26996). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-27903). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33671). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3v7f-55p6-f55p Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
    /workdirs/scan-c25a7716-139c-49af-b855-32d59687dfe2/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33672). Fix: Update that package to its patched version.
… 7 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.