Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...CVE-2026-22029 @remix-run/router: react-router: React Router vulnerable to XSS via Open RedirectsCVE-2025-68470 react-router: React Router unexpected external redirectCVE-2026-45736 ws is an open source WebSocket client and server for Node.js. Prior to ...CVE-2025-71176 pytest: pytest: Denial of Service or Privilege Escalation via insecure temporary directory handlingCVE-2026-1260 sentencepiece: Sentencepiece: Invalid memory access leading to potential arbitrary code execution via a crafted model file.CVE-2025-3730 A vulnerability, which was classified as problematic, was found in PyT ...CVE-2025-62608 MLX has heap-buffer-overflow in load()CVE-2025-62609 MLX has Wild Pointer Dereference in load_gguf()CVE-2026-1260 sentencepiece: Sentencepiece: Invalid memory access leading to potential arbitrary code execution via a crafted model file.GHSA-65p9-r9h6-22vj AWS-LC has Timing Side-Channel in AES-CCM Tag VerificationGHSA-9f94-5g5w-gf6r CRL Distribution Point Scope Check Logic Error in AWS-LCGHSA-hfpc-8r3f-gw53 AWS-LC has PKCS7_verify Signature Validation BypassGHSA-vw5v-4f2q-w9xf AWS-LC has PKCS7_verify Certificate Chain Validation BypassCVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...CVE-2026-41676 rust-openssl provides OpenSSL bindings for the Rust programming langua ...CVE-2026-41678 rust-openssl provides OpenSSL bindings for the Rust programming langua ...CVE-2026-41681 rust-openssl provides OpenSSL bindings for the Rust programming langua ...CVE-2026-41898 rust-openssl provides OpenSSL bindings for the Rust programming langua ...CVE-2026-42327 rust-openssl: rust-openssl: Arbitrary code execution via specially crafted certificateCVE-2026-44662 rust-openssl provides OpenSSL bindings for the Rust programming langua ...CVE-2026-45784 rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphersCVE-2025-53605 The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion ...GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRINGGHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRINGYour dependencies cross-checked against the OSV vulnerability database.
GHSA-53q9-r3pm-6pq6 PyTorch: `torch.load` with `weights_only=True` leads to remote code executionGHSA-2w69-qvjg-hvjx React Router vulnerable to XSS via Open RedirectsGHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phaseGHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flattedGHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:trueGHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via `_.template` imports key namesGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionsGHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in patternGHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentsGHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiersGHSA-mw96-cpmx-2vgc Rollup 4 has Arbitrary File Write via Path TraversalGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-38vq-g6vr-w8wf Sentencepiece has a a heap overflow issueGHSA-x84v-xcm2-53pg Insufficiently Protected Credentials in RequestsGHSA-38vq-g6vr-w8wf Sentencepiece has a a heap overflow issueGHSA-65p9-r9h6-22vj AWS-LC has Timing Side-Channel in AES-CCM Tag VerificationGHSA-9f94-5g5w-gf6r CRL Distribution Point Scope Check Logic Error in AWS-LCGHSA-hfpc-8r3f-gw53 AWS-LC has PKCS7_verify Signature Validation BypassGHSA-vw5v-4f2q-w9xf AWS-LC has PKCS7_verify Certificate Chain Validation BypassCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.6/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissionsscorecard-Vulnerabilities Vulnerabilities scored 0: 102 existing vulnerabilities detected