gitsafehub
github.com/kkroening/ffmpeg-python ↗

kkroening/ffmpeg-python

scanned 2026-06-30 · git df129c7
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies40Known OSS vulnerabilities66Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 40 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-42771). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-28493 python-jinja2: ReDoS vulnerability in the urlize filter
    requirements.txt
    A package you depend on has a known security hole (CVE-2020-28493). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-22195). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-34064 jinja2: accepts keys containing non-attribute characters
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-34064). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-56326 jinja2: Jinja has a sandbox breakout through indirect reference to format method
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-56326). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-27516 jinja2: Jinja sandbox breakout through attr filter selecting format method
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-27516). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-20270 python-pygments: Infinite loop in SML lexer may lead to DoS
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-20270). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-27291 python-pygments: ReDoS in multiple lexers
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-27291). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-40896 pygments: ReDoS in pygments
    requirements.txt
    A package you depend on has a known security hole (CVE-2022-40896). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-37920 python-certifi: Removal of e-Tugra root certificate
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-37920). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-23491 python-certifi: untrusted root certificates
    requirements.txt
    A package you depend on has a known security hole (CVE-2022-23491). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncation
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-68146). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLock
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-22701). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server
    requirements.txt
    A package you depend on has a known security hole (CVE-2022-40899). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-3651 python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-3651). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-41495 numpy: NULL pointer dereference in numpy.sort in in the PyArray_DescrNew() due to missing return-value validation
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-41495). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-33430 numpy: buffer overflow in the PyArray_NewFromDescr_int() in ctors.c
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-33430). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-34141 numpy: incomplete string comparison in the numpy.core component
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-34141). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-41496 numpy: buffer overflow in the array_from_pyobj() in fortranobject.c
    requirements.txt
    A package you depend on has a known security hole (CVE-2021-41496). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-29651 python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionality
    requirements.txt
    A package you depend on has a known security hole (CVE-2020-29651). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-71176 pytest: pytest: Denial of Service or Privilege Escalation via insecure temporary directory handling
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-71176). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization header
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-32681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-35195 requests: subsequent requests to the same host ignore cert verification
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-35195). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-47081 requests: Requests vulnerable to .netrc credentials leak via malicious URLs
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-47081). Fix: Update that package to its patched version.
… 15 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 66 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious PYSEC-2026-457 Arbitrary Code Execution in Pillow
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-187 virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2024-53899). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2017-74 The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2016-10075). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39377). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39378). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2025-53000). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-227 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2023-44271). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-165 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-42308). Fix: Update that package to its patched version.
  • Worth fixing GHSA-44wm-f244-xhp3 Pillow buffer overflow vulnerability
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2024-28219). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j7hp-h8jx-5ppr libwebp: OOB write in BuildHuffmanTable
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2023-4863). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-42310). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7gcm-g887-7qv7 protobuf affected by a JSON recursion depth bypass
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/examples/requirements.txt
    A package you depend on has a known security hole (CVE-2026-0994). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-421 Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2021-42771). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-66 This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2020-28493). Fix: Update that package to its patched version.
  • Worth fixing GHSA-cpwx-vrp4-4pq7 Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2025-27516). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h5c8-rqwp-cp95 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2024-22195). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h75v-3vvj-5mfj Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2024-34064). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q2x7-8rv6-6q7h Jinja has a sandbox breakout through indirect reference to format method
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2024-56326). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-140 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2021-20270). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-141 In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity an
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2021-27291). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-117 A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2022-40896). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2022-42986 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2022-23491). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-135 Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pur
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2023-37920). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2024-230 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.
    /workdirs/scan-fe3c0412-2f72-420b-a8c3-2aee18708d41/requirements.txt
    A package you depend on has a known security hole (CVE-2024-39689). Fix: Update that package to its patched version.
… 41 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.