Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserializationCVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objectsCVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNodeCVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYSCVE-2022-42004 jackson-databind: use of deeply nested arraysCVE-2026-54512 jackson-databind contains the general-purpose data-binding functionali ...CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code executionCVE-2026-50193 jackson-databind contains the general-purpose data-binding functionali ...CVE-2026-54514 jackson-databind contains the general-purpose data-binding functionali ...CVE-2026-54515 jackson-databind contains the general-purpose data-binding functionali ...CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of serviceCVE-2023-2976 guava: insecure temporary directory creationCVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosureCVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)CVE-2015-2575 mysql-connector-java: unspecified vulnerability related to Connector/J (CPU April 2015)CVE-2017-3586 mysql-connector-java: Connector/J unspecified vulnerability (CPU Apr 2017)CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connectorCVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL ConnectorsCVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messagesCVE-2023-1932 hibernate-validator: rendering of invalid html with SafeHTML leads to HTML injection and XSSCVE-2025-35036 hibernate-validator: Hibernate Validator Expression Language InjectionCVE-2022-22968 Framework: Data Binding Rules VulnerabilityYour dependencies cross-checked against the OSV vulnerability database.
GHSA-c27h-mcmw-48hv Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-aslGHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methodsGHSA-36p3-wjmg-h94x Remote Code Execution in Spring FrameworkGHSA-36p3-wjmg-h94x Remote Code Execution in Spring FrameworkGHSA-288c-cq4h-88gq XML External Entity (XXE) Injection in Jackson DatabindGHSA-3wrr-7qpf-2prh jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()GHSA-3x8x-79m2-3w2w jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNodeGHSA-57j2-w4cx-62h2 Deeply nested json in jackson-databindGHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnorePropertiesGHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)GHSA-j3rv-43j4-c7qm jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiationGHSA-jjjh-jjxp-wpff Uncontrolled Resource Consumption in Jackson-databindGHSA-rgv9-q543-rqg4 Uncontrolled Resource Consumption in FasterXML jackson-databindGHSA-rmj7-2vxq-3g9f jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)GHSA-7g45-4rm6-3mm3 Guava vulnerable to insecure use of temporary directoryGHSA-mvr2-9pj6-7w5j Denial of Service in Google GuavaGHSA-269g-pwp5-87pp TemporaryFolder on unix-like systems does not limit access to created filesGHSA-2xxh-f8r3-hvvr Improper Access Control in MySQL Connectors JavaGHSA-4vrv-ch96-6h42 Improper Privilege Management in MySQL Connectors JavaGHSA-g76j-4cxx-23h9 Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors JavaGHSA-jcq3-cprp-m333 Privilege escalation in mysql-connector-javGHSA-m6vm-37g8-gqvh MySQL Connectors takeover vulnerabilityGHSA-pwh7-92h3-mqr6 Exposure of Sensitive Information to an Unauthorized Actor in Oracle MySQL Connectors JavaGHSA-r6j9-8759-g62w Improper Restriction of XML External Entity Reference in jackson-mapper-aslGHSA-7v6m-28jr-rg84 Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression LanguageCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.