Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.Packages you depend on that have known security holes (CVEs).
CVE-2026-44513 Diffusers: Diffusers: Arbitrary remote code execution via `trust_remote_code` bypassCVE-2026-45804 Diffusers: TOCTOU Trust Remote Code BypassCVE-2026-25990 pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD ImageCVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processingCVE-2026-42311 Pillow is a Python imaging library. From version 10.3.0 to before vers ...CVE-2026-42308 Pillow: python: Pillow: Denial of Service via integer overflow in font processingCVE-2026-42309 Pillow: Pillow: Denial of Service via specially crafted coordinate inputCVE-2026-42310 Pillow: Pillow: Denial of Service via malicious PDF processingCVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint fileYour dependencies cross-checked against the OSV vulnerability database.
PYSEC-2026-40 Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user paPYSEC-2026-41 Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from HugGHSA-7wx4-6vff-v64p Diffusers: TOCTOU Trust Remote Code BypassPYSEC-2026-165 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer GHSA-5xmw-vc9v-4wf2 Pillow has a heap buffer overflow with nested list coordinatesGHSA-cfh3-3jmp-rvhc Pillow affected by out-of-bounds write when loading PSD imagesGHSA-pwv6-vv43-88gr Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)GHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)GHSA-whj4-6x5x-4v2j FITS GZIP decompression bomb in PillowPYSEC-2025-191 A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of servicePYSEC-2025-198 In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.PYSEC-2025-199 In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error.PYSEC-2025-200 In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results.PYSEC-2025-201 In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output for certain out-of-bounds values of the "other" argument.PYSEC-2025-202 PyTorch before 3.7.0 has a bernoulli_p decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d,PYSEC-2025-203 An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation.PYSEC-2025-204 pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together.PYSEC-2025-205 A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).PYSEC-2025-206 pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().PYSEC-2025-207 A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).PYSEC-2025-208 A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a PYSEC-2025-209 An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor.PYSEC-2026-139 A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be peGHSA-887c-mr87-cxwp PyTorch Improper Resource Shutdown or Release vulnerabilityGHSA-c678-jfcj-6jmf PyTorch Tuple Handler is Vulnerable to Memory Corruption through Manipulation of None ArgumentCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 2.4/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Code-Review Code-Review scored 0: Found 0/30 approved changesets -- score normalized to 0scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-SAST SAST scored 0: no SAST tool detectedscorecard-Security-Policy Security-Policy scored 0: security policy file not detected