Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirectsCVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requestsCVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloadsCVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirectCVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size checkCVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request bodyGHSA-537c-gmf6-5ccf Vulnerable OpenSSL included in cryptography wheelsCVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...GHSA-4xgf-cpjx-pc3j pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_sizeCVE-2026-48526 python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web TokensCVE-2026-48522 python-pyjwt: PyJWT: Server-Side Request Forgery (SSRF) via uncontrolled URL fetching in PyJWKClientCVE-2026-48523 python-pyjwt: PyJWT: Verifier-side algorithm bypass leads to unauthorized information accessCVE-2026-48525 python-pyjwt: PyJWT: Denial of Service via processing of crafted detached JWS tokensCVE-2026-53539 Python-Multipart is a streaming multipart parser for Python. Prior to ...CVE-2026-48818 starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on WindowsCVE-2026-54283 Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1. ...CVE-2026-48710 starlette: Starlette: Security restriction bypass via malformed HTTP Host headerCVE-2026-48817 starlette: Starlette: Information disclosure and unintended method execution via non-standard HTTP methodsCVE-2026-44431 urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headersCVE-2026-44432 urllib3: urllib3: Denial of Service due to excessive HTTP response decompressionCVE-2026-50269 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...CVE-2026-54275 aiohttp: AIOHTTP: TLS SNI check bypass via connection reuseCVE-2026-54279 aiohttp: AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar PersistenceCVE-2026-54280 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without LimitGHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented LinesGHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During CleanupGHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookiesGHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect ChallengesGHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted DataGHSA-xcgm-r5h9-7989 aiohttp: Incomplete websocket frame payloads bypass memory limitsGHSA-537c-gmf6-5ccf Vulnerable OpenSSL included in cryptography wheelsGHSA-7g5w-pq96-8c5w flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanismPYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions priorGHSA-4xgf-cpjx-pc3j pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_sizePYSEC-2026-175 PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registerPYSEC-2026-178 PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decodPYSEC-2026-179 PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate GHSA-jq35-7prp-9v3f PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keysGHSA-5rvq-cxj2-64vf python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of servicePYSEC-2026-161 BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checksGHSA-82w8-qh3p-5jfq Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoSGHSA-wqp7-x3pw-xc5r Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on WindowsGHSA-x746-7m8f-x49c Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`GHSA-rrmf-rvhw-rf47 PyTorch is vulnerable to memory corruption through its torch.jit.script functionPYSEC-2026-141 urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=FalPYSEC-2026-142 urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) caGHSA-2fqr-mr3j-6wp8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar PersistenceGHSA-4m7w-qmgq-4wj5 aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS ConnectionsCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.0/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 1 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/26 approved changesets -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detected