Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirectsCVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requestsCVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloadsCVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirectCVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size checkCVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request bodyCVE-2026-41425 authlib: Authlib: Cross-Site Request Forgery (CSRF) vulnerability in OAuth cache featureCVE-2026-41479 Authlib is a Python library which builds OAuth and OpenID Connect serv ...CVE-2026-44681 Authlib is a Python library which builds OAuth and OpenID Connect serv ...GHSA-537c-gmf6-5ccf Vulnerable OpenSSL included in cryptography wheelsCVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...CVE-2026-44843 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlistsCVE-2026-41481 langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect BypassCVE-2026-45134 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningGHSA-f4xh-w4cj-qxq8 LangSmith SDK TracingMiddleware: Arbitrary server-side file readCVE-2026-41182 LangSmith SDK: Streaming token events bypass output redactionCVE-2026-41066 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file readGHSA-4xgf-cpjx-pc3j pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_sizeCVE-2026-48526 python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web TokensCVE-2026-48522 python-pyjwt: PyJWT: Server-Side Request Forgery (SSRF) via uncontrolled URL fetching in PyJWKClientCVE-2026-48523 python-pyjwt: PyJWT: Verifier-side algorithm bypass leads to unauthorized information accessCVE-2026-48525 python-pyjwt: PyJWT: Denial of Service via processing of crafted detached JWS tokensCVE-2026-41168 pypdf: pypdf: Denial of Service via crafted PDF with oversized streamsCVE-2026-41312 pypdf: pypdf: Denial of Service due to excessive memory consumption via specially crafted PDFYour dependencies cross-checked against the OSV vulnerability database.
GHSA-f4j7-r4q5-qw2c ChromaDB Python project has a pre-authentication code injection vulnerabilityPYSEC-2026-237 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicatGHSA-4fvr-rgm6-gqmc aiohttp: HTTP/1 Pipelined Requests Queue Without LimitGHSA-63hw-fmq6-xxg2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented LinesGHSA-g3cq-j2xw-wf74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During CleanupGHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookiesGHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect ChallengesGHSA-jg22-mg44-37j8 AIOHTTP is Vulnerable to Deserialization of Untrusted DataGHSA-xcgm-r5h9-7989 aiohttp: Incomplete websocket frame payloads bypass memory limitsPYSEC-2026-188 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorizatPYSEC-2026-25 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulneGHSA-w8p2-r796-3vmq Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_typePYSEC-2023-235 An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.GHSA-537c-gmf6-5ccf Vulnerable OpenSSL included in cryptography wheelsPYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions priorGHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlistsPYSEC-2026-77 LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters
1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validaGHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningGHSA-f4xh-w4cj-qxq8 LangSmith SDK TracingMiddleware: Arbitrary server-side file readGHSA-rr7j-v2q5-chgv LangSmith SDK: Streaming token events bypass output redactionPYSEC-2026-87 lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML inpGHSA-4xgf-cpjx-pc3j pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_sizePYSEC-2026-175 PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registerPYSEC-2026-178 PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decodPYSEC-2026-179 PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate Code that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.