gitsafehub
github.com/maybe-finance/maybe ↗

maybe-finance/maybe

scanned 2026-05-27 · git 77b5469
3 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with vulnerable dependencies below.

Informational scan, not a security audit. How this is computed.

Leaked secrets4Vulnerable dependencies57Known OSS vulnerabilities55Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks 4 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    test/controllers/settings/api_keys_controller_test.rb:36
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    test/models/api_key_test.rb:11
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    test/system/settings/api_keys_test.rb:57
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    test/system/settings/api_keys_test.rb:151
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 57 found · 7 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-33195 Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keys
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33195). Fix: Update that package to its patched version.
  • Serious CVE-2026-33202 rails: Active Storage: Unintended file deletion via crafted blob keys
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33202). Fix: Update that package to its patched version.
  • Serious CVE-2026-42257 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-42257). Fix: Update that package to its patched version.
  • Serious CVE-2026-42258 Net::IMAP implements Internet Message Access Protocol (IMAP) client fu ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-42258). Fix: Update that package to its patched version.
  • Serious GHSA-353f-x4gh-cqq8 Nokogiri patches vendored libxml2 to resolve multiple CVEs
    Gemfile.lock
    A package you depend on has a known security hole (GHSA-353f-x4gh-cqq8). Fix: Update that package to its patched version.
  • Serious CVE-2026-39324 Rack::Session is a session management implementation for Rack. From 2. ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-39324). Fix: Update that package to its patched version.
  • Serious CVE-2026-34060 Ruby LSP is an implementation of the language server protocol for Ruby ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-34060). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33168 actionview: Action View: Cross-Site Scripting (XSS) via blank HTML attribute names
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33168). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-55193 Active Record connects classes to relational database tables. Prior to ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2025-55193). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-24293 activestorage: Code injection in Active Storage when used in conjunction with the image_processing gem
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2025-24293). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33174 Rails: Active Storage: Rails Active Storage: Denial of Service via unbounded Range header
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33174). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33173 Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33173). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33658 rails: activestorage: Active Storage: Denial of Service via HTTP Range header processing
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33658). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via large scientific notation strings
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33176). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33169 rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33169). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33170 Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33170). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-35611 addressable: Addressable: Denial of Service via crafted URI templates
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-35611). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-14762 AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2025-14762). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33306 github.com/bcrypt-ruby/bcrypt-ruby: bcrypt-ruby (JRuby): Weakened password hashing due to integer overflow
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-33306). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44312 css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Pa ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-44312). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41316 erb: ERB: Arbitrary code execution via deserialization bypass
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-41316). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25765 Faraday: Faraday: Server-Side Request Forgery via protocol-relative URLs
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-25765). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45363 ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-45363). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42245 ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-42245). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42246 Net::IMAP implements Internet Message Access Protocol (IMAP) client fu ...
    Gemfile.lock
    A package you depend on has a known security hole (CVE-2026-42246). Fix: Update that package to its patched version.
… 32 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 55 found · 3 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-r4mg-4433-c7g3 Active Storage allowed transformation methods that were potentially unsafe
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-353f-x4gh-cqq8 Nokogiri patches vendored libxml2 to resolve multiple CVEs
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-33qg-7wpp-89cq Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-9xrj-h377-fr87 Rails Active Storage has possible Path Traversal in DiskService
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templates
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-q339-8rmv-2mhv ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-c32j-vqhx-rx3x ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-vcgp-9326-pqcp net-imap vulnerable to STARTTLS stripping via invalid response timing
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-c4rq-3m3g-8wgx Nokogiri CSS selector tokenizer has regular expression backtracking
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6xw4-3v39-52mm Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-8vqr-qjwx-82mw Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-h2jq-g4cq-5ppq Rack::Static prefix matching can expose unintended files under the static root
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-mxw3-3hh2-x2mh Rack has a Directory Traversal via Rack:Directory
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-p543-xpfm-54cp Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-v569-hp3g-36wr Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6x5-cg8r-vv6x Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-w9pc-fmgc-vxvw Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wpv5-97wm-hp9c Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-c4r5-fxqw-vh93 Ruby LSP has arbitrary code execution through branch setting
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-v55j-83pf-r9cq Rails has a possible XSS vulnerability in its Action View tag helpers
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-p9fm-f462-ggrg Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-5rv5-xj5j-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-q2mw-fvj9-vvcw net-imap has quadratic complexity when reading response literals
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-c2f4-jgmc-q2r5 REXML has DoS condition when parsing malformed XML file
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-j4pr-3wm6-xx2r URI Credential Leakage Bypass over CVE-2025-27221
    /workdirs/scan-6bdc9d50-917e-4db2-aad1-96509b465e94/Gemfile.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 30 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.0/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 2/30 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: project is archived
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 55 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.0.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.