Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.Packages you depend on that have known security holes (CVEs).
CVE-2026-27962 authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerabilityCVE-2025-43859 h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a ...CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsCVE-2023-39662 llama-index vulnerable to arbitrary code executionCVE-2024-23751 SQL injection in llama-indexCVE-2025-1793 llama_index vulnerable to SQL InjectionCVE-2023-50447 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Executi ...CVE-2024-3829 qdrant input validation failure CVE-2024-23334 aiohttp is an asynchronous HTTP client/server framework for asyncio an ...CVE-2024-30251 aiohttp is an asynchronous HTTP client/server framework for asyncio an ...CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombCVE-2024-23829 aiohttp is an asynchronous HTTP client/server framework for asyncio an ...CVE-2024-27306 aiohttp is an asynchronous HTTP client/server framework for asyncio an ...CVE-2024-52304 aiohttp is an asynchronous HTTP client/server framework for asyncio an ...CVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST requestCVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST requestCVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handlingCVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handlingCVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on WindowsCVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headersCVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headersCVE-2024-37568 lepture Authlib before 1.3.1 has algorithm confusion with asymmetric p ...CVE-2025-59420 Authlib is a Python library which builds OAuth and OpenID Connect serv ...CVE-2025-61920 Authlib is a Python library which builds OAuth and OpenID Connect serv ...CVE-2026-28490 authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5Your dependencies cross-checked against the OSV vulnerability database.
GHSA-wvwj-cvrp-7pv5 Authlib JWS JWK Header Injection: Signature Verification BypassGHSA-vqfr-h8mv-ghfj h11 accepts some malformed Chunked-Encoding bodiesGHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsGHSA-2jxw-4hm4-6w87 SQL injection in llama-indexGHSA-2xxc-73fv-36f7 llama-index vulnerable to arbitrary code executionGHSA-v3c8-3pr6-gr7p llama_index vulnerable to SQL InjectionGHSA-3f63-hfp8-52jq Arbitrary Code Execution in PillowGHSA-7m75-x27w-r52r qdrant input validation failure GHSA-5h86-8mv2-jq9f aiohttp is vulnerable to directory traversalGHSA-5m98-qgg9-wh84 aiohttp vulnerable to Denial of Service when trying to parse malformed POST requestsGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-5357-c2jx-v7qh Authlib has algorithm confusion with asymmetric public keysGHSA-7432-952r-cw78 Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding OracleGHSA-9ggr-2464-2j32 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)GHSA-m344-f55w-2m6j Authlib: Fail-Open Cryptographic Verification in OIDC Hash BindingGHSA-pq5p-34cr-23v9 Authlib is vulnerable to Denial of Service via Oversized JOSE SegmentsGHSA-jm66-cg57-jjv5 Azure Core is vulnerable to deserialization of untrusted dataGHSA-3ww4-gg4f-jr7f Python Cryptography package vulnerable to Bleichenbacher timing oracle attackGHSA-6vqw-3v5j-54x4 cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash overrideGHSA-r6ph-v2qm-q3c2 cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT CurvesGHSA-2mqj-m65w-jghx Untrusted search path under some conditions on Windows allows arbitrary code executionGHSA-7545-fcxq-7j24 GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repositoryGHSA-mv93-w799-cj2w GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPathGHSA-rpm5-65cw-6hj4 GitPython has Command Injection via Git options bypassGHSA-v87r-6q3f-2j67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPathCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 2.6/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 25 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Vulnerabilities Vulnerabilities scored 0: 131 existing vulnerabilities detected