Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-33195 Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keysCVE-2026-33202 rails: Active Storage: Unintended file deletion via crafted blob keysCVE-2026-42257 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated inputCVE-2026-42258 Net::IMAP implements Internet Message Access Protocol (IMAP) client fu ...GHSA-353f-x4gh-cqq8 Nokogiri patches vendored libxml2 to resolve multiple CVEsCVE-2026-39324 Rack::Session is a session management implementation for Rack. From 2. ...CVE-2026-34060 Ruby LSP is an implementation of the language server protocol for Ruby ...CVE-2026-33168 actionview: Action View: Cross-Site Scripting (XSS) via blank HTML attribute namesCVE-2025-55193 Active Record connects classes to relational database tables. Prior to ...CVE-2025-24293 activestorage: Code injection in Active Storage when used in conjunction with the image_processing gemCVE-2026-33174 Rails: Active Storage: Rails Active Storage: Denial of Service via unbounded Range headerCVE-2026-33173 Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploadsCVE-2026-33658 rails: activestorage: Active Storage: Denial of Service via HTTP Range header processingCVE-2026-33176 Rails: Active Support: Active Support: Denial of Service via large scientific notation stringsCVE-2026-33169 rails: rails-activesupport: Active Support: Denial of Service via crafted long digit stringsCVE-2026-33170 Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%CVE-2026-35611 addressable: Addressable: Denial of Service via crafted URI templatesCVE-2025-14762 AWS SDK for Ruby's S3 Encryption Client has a Key Commitment IssueCVE-2026-33306 github.com/bcrypt-ruby/bcrypt-ruby: bcrypt-ruby (JRuby): Weakened password hashing due to integer overflowCVE-2026-44312 css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Pa ...CVE-2026-41316 erb: ERB: Arbitrary code execution via deserialization bypassCVE-2026-25765 Faraday: Faraday: Server-Side Request Forgery via protocol-relative URLsCVE-2026-45363 ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351CVE-2026-42245 ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responsesCVE-2026-42246 Net::IMAP implements Internet Message Access Protocol (IMAP) client fu ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-r4mg-4433-c7g3 Active Storage allowed transformation methods that were potentially unsafeGHSA-353f-x4gh-cqq8 Nokogiri patches vendored libxml2 to resolve multiple CVEsGHSA-33qg-7wpp-89cq Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserializationGHSA-9xrj-h377-fr87 Rails Active Storage has possible Path Traversal in DiskServiceGHSA-h27x-rffw-24p4 Addressable has a Regular Expression Denial of Service in Addressable templatesGHSA-q339-8rmv-2mhv ERB has an @_init deserialization guard bypass via def_module / def_method / def_classGHSA-c32j-vqhx-rx3x ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351GHSA-vcgp-9326-pqcp net-imap vulnerable to STARTTLS stripping via invalid response timingGHSA-c4rq-3m3g-8wgx Nokogiri CSS selector tokenizer has regular expression backtrackingGHSA-6xw4-3v39-52mm Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsingGHSA-8vqr-qjwx-82mw Rack's multipart parsing without Content-Length header allows unbounded chunked file uploadsGHSA-h2jq-g4cq-5ppq Rack::Static prefix matching can expose unintended files under the static rootGHSA-mxw3-3hh2-x2mh Rack has a Directory Traversal via Rack:DirectoryGHSA-p543-xpfm-54cp Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)GHSA-v569-hp3g-36wr Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding headerGHSA-v6x5-cg8r-vv6x Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parametersGHSA-w9pc-fmgc-vxvw Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)GHSA-wpv5-97wm-hp9c Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)GHSA-c4r5-fxqw-vh93 Ruby LSP has arbitrary code execution through branch settingGHSA-v55j-83pf-r9cq Rails has a possible XSS vulnerability in its Action View tag helpersGHSA-p9fm-f462-ggrg Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requestsGHSA-5rv5-xj5j-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scopingGHSA-q2mw-fvj9-vvcw net-imap has quadratic complexity when reading response literalsGHSA-c2f4-jgmc-q2r5 REXML has DoS condition when parsing malformed XML fileGHSA-j4pr-3wm6-xx2r URI Credential Leakage Bypass over CVE-2025-27221Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.0/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 2/30 approved changesets -- score normalized to 0scorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: project is archivedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissionsscorecard-Vulnerabilities Vulnerabilities scored 0: 55 existing vulnerabilities detected