gitsafehub
github.com/plankanban/planka ↗

plankanban/planka

scanned 2026-06-30 · git 856768c
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies55Known OSS vulnerabilities72Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 55 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-9277 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46625 JavaScript Cookie is a JavaScript API for handling cookies, client-sid ...
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-46625). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-46625 JavaScript Cookie is a JavaScript API for handling cookies, client-sid ...
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-46625). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53550 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48801 LinkifyIt#match scan loop has quadratic algorithmic complexity
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-2327 markdown-it: markdown-it: Denial of Service via Regular Expression Denial of Service in linkify function
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2327). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48988 markdown-it is a Markdown parser. Versions 14.1.1 and below contain a ...
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41305). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-8723 ### Summary `qs.stringify` throws `TypeError` when called with `arr ...
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-8723). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33245 react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33245). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34077 react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34077). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42211). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42342 react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42342). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33244 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33244). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40181 react-router: React Router: Open redirect vulnerability via specially crafted URLs
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40181). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-12151 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-12151). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-6734 undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6734). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9697 undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9697). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsing
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9678). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9679). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41907 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate paths
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-48779 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48779). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45736 ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
    client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45736). Fix: Update that package to its patched version.
… 30 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 72 found · 1 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-w7jw-789q-3m8p shell-quote quote() does not escape newlines in object .op values
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9277). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f886-m6hf-6m8v brace-expansion: Zero-step sequence causes process hang and memory exhaustion
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33750). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented `max` DoS protection
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-45149). Fix: Update that package to its patched version.
  • Worth fixing GHSA-848j-6mx2-7j84 Elliptic Uses a Cryptographic Primitive with a Risky Implementation
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2025-14505). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-46625). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qjx8-664m-686j JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-46625). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
  • Worth fixing GHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexity
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
  • Worth fixing GHSA-38c4-r59v-3vqw markdown-it is has a Regular Expression Denial of Service (ReDoS)
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-2327). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
  • Worth fixing GHSA-qx2v-qp2m-jg93 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41305). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-8723). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2j2x-hqr9-3h42 React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40181). Fix: Update that package to its patched version.
  • Worth fixing GHSA-49rj-9fvp-4h2h React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42211). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8646-j5j9-6r62 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33245). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8x6r-g9mw-2r78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42342). Fix: Update that package to its patched version.
  • Worth fixing GHSA-f22v-gfqf-p8f3 React Router has stored XSS via unescaped Location header in prerendered redirect HTML
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-33244). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rxv8-25v2-qmq8 React Router vulnerable to Denial of Service via reflected user input in single-fetch
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-34077). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hm92-r4w5-c3mj undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6734). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p88m-4jfj-68fv undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9679). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pr7r-676h-xcf6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
    /workdirs/scan-9e08fd4c-5369-4c47-bdca-5234ec6a2a15/client/package-lock.json
    A package you depend on has a known security hole (CVE-2026-9678). Fix: Update that package to its patched version.
… 47 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.