Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2020-11538 python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2CVE-2020-5310 python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecodeCVE-2020-5311 python-pillow: out-of-bounds write in expandrow in libImaging/SgiRleDecode.cCVE-2020-5312 python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode.cCVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.cCVE-2021-34552 python-pillow: Buffer overflow in image convert functionCVE-2022-22817 python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressionsCVE-2023-50447 pillow: Arbitrary Code Execution via the environment parameterCVE-2019-10906 python-jinja2: str.format_map allows sandbox escapeCVE-2020-28493 python-jinja2: ReDoS vulnerability in the urlize filterCVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filterCVE-2024-34064 jinja2: accepts keys containing non-attribute charactersCVE-2024-56326 jinja2: Jinja has a sandbox breakout through indirect reference to format methodCVE-2025-27516 jinja2: Jinja sandbox breakout through attr filter selecting format methodCVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of serviceCVE-2019-19911 python-pillow: uncontrolled resource consumption in FpxImagePlugin.pyCVE-2020-10177 python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.cCVE-2020-10378 python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX filesCVE-2020-10379 python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode()CVE-2020-10994 python-pillow: multiple out-of-bounds reads via a crafted JP2 fileCVE-2020-35653 python-pillow: Buffer over-read in PCX image readerCVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflowCVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI imagesCVE-2021-23437 python-pillow: possible ReDoS via the getrgb functionCVE-2021-25287 python-pillow: Out-of-bounds read in J2K image readerYour dependencies cross-checked against the OSV vulnerability database.
PYSEC-2020-80 In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.PYSEC-2020-81 libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.PYSEC-2020-82 libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.PYSEC-2020-83 libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.PYSEC-2021-137 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.PYSEC-2021-138 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.PYSEC-2021-331 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.PYSEC-2021-35 An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTPYSEC-2022-10 PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.PYSEC-2022-168 Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.GHSA-3f63-hfp8-52jq Arbitrary Code Execution in PillowPYSEC-2019-108 ** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized objectPYSEC-2020-80 In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.PYSEC-2020-81 libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.PYSEC-2020-82 libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.PYSEC-2020-83 libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.PYSEC-2021-137 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.PYSEC-2021-138 An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.PYSEC-2021-331 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.PYSEC-2021-35 An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTPYSEC-2022-10 PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.PYSEC-2022-168 Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.GHSA-3f63-hfp8-52jq Arbitrary Code Execution in PillowPYSEC-2019-217 In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.PYSEC-2021-66 This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 2.7/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 7 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detected