Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary codeCVE-2020-28493 python-jinja2: ReDoS vulnerability in the urlize filterCVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filterCVE-2024-34064 jinja2: accepts keys containing non-attribute charactersCVE-2024-56326 jinja2: Jinja has a sandbox breakout through indirect reference to format methodCVE-2025-27516 jinja2: Jinja sandbox breakout through attr filter selecting format methodCVE-2021-20270 python-pygments: Infinite loop in SML lexer may lead to DoSCVE-2021-27291 python-pygments: ReDoS in multiple lexersCVE-2022-40896 pygments: ReDoS in pygmentsCVE-2023-37920 python-certifi: Removal of e-Tugra root certificateCVE-2022-23491 python-certifi: untrusted root certificatesCVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncationCVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLockCVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web serverCVE-2024-3651 python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()CVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...CVE-2021-41495 numpy: NULL pointer dereference in numpy.sort in in the PyArray_DescrNew() due to missing return-value validationCVE-2021-33430 numpy: buffer overflow in the PyArray_NewFromDescr_int() in ctors.cCVE-2021-34141 numpy: incomplete string comparison in the numpy.core componentCVE-2021-41496 numpy: buffer overflow in the array_from_pyobj() in fortranobject.cCVE-2020-29651 python-py: ReDoS in the py.path.svnwc component via mailicious input to blame functionalityCVE-2025-71176 pytest: pytest: Denial of Service or Privilege Escalation via insecure temporary directory handlingCVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization headerCVE-2024-35195 requests: subsequent requests to the same host ignore cert verificationCVE-2024-47081 requests: Requests vulnerable to .netrc credentials leak via malicious URLsYour dependencies cross-checked against the OSV vulnerability database.
PYSEC-2026-457 Arbitrary Code Execution in PillowPYSEC-2024-187 virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same PYSEC-2017-74 The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions priorGHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment FilenamesGHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image EmbeddingGHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on WindowsPYSEC-2023-227 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of PYSEC-2026-165 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer GHSA-44wm-f244-xhp3 Pillow buffer overflow vulnerabilityGHSA-j7hp-h8jx-5ppr libwebp: OOB write in BuildHuffmanTableGHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)GHSA-7gcm-g887-7qv7 protobuf affected by a JSON recursion depth bypassPYSEC-2021-421 Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.PYSEC-2021-66 This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the GHSA-cpwx-vrp4-4pq7 Jinja2 vulnerable to sandbox breakout through attr filter selecting format methodGHSA-h5c8-rqwp-cp95 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filterGHSA-h75v-3vvj-5mfj Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filterGHSA-q2x7-8rv6-6q7h Jinja has a sandbox breakout through indirect reference to format methodPYSEC-2021-140 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only PYSEC-2021-141 In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity anPYSEC-2023-117 A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.PYSEC-2022-42986 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates fromPYSEC-2023-135 Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed purPYSEC-2024-230 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.