Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| MEDIUM | CVE-2023-36464 | PyPDF2 | 3.0.1 | No fix | pypdf: Possible Infinite Loop when a comment isn't followed by a character |
| HIGH | CVE-2025-69223 | aiohttp | 3.13.0 | 3.13.3 | aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb |
| MEDIUM | CVE-2025-69227 | aiohttp | 3.13.0 | 3.13.3 | aiohttp: aiohttp: Denial of Service via specially crafted POST request |
| MEDIUM | CVE-2025-69228 | aiohttp | 3.13.0 | 3.13.3 | aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request |
| MEDIUM | CVE-2025-69229 | aiohttp | 3.13.0 | 3.13.3 | aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling |
| CRITICAL | CVE-2025-14009 | nltk | 3.9.2 | No fix | nltk: Zip Slip Vulnerability in nltk Leading to Code Execution |
| HIGH | CVE-2026-25990 | pillow | 10.4.0 | 12.1.1 | pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image |
| Type | File | Line | Match |
|---|---|---|---|
| GitHub | security-reports/gitleaks-report.json | 9 | "Match": "**************************************... |
| GitHub | security-reports/gitleaks-report.json | 10 | "Secret": "*************************************... |
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS-0029 | 'apt-get' missing '--no-install-recommends' | Dockerfile | '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y libgl1 libgl |
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019c8f23-c2cb-7327-9283-7a9392fa7385",
"CreatedAt": "2026-02-24T10:13:31.467209963Z",
"ArtifactID": "sha256:3e4e98b010a7ba78cf8a20d904e52dc1c1b8bc642a1dee7e5563301d3ec422c1",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-document-processing",
"Branch": "eizen-agent-document-service",
"Commit": "fe2f84ad9a5ca7ba3925cb90744d6c437a890823",
"CommitMsg": "Add configurable API+KEY_HEADER and clean code formatting across all modules",
"Author": "eizen-anurag <anurag.bheemani@eizen.ai>",
"Committer": "eizen-anurag <anurag.bheemani@eizen.ai>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "PyMuPDF",
"Identifier": {
"PURL": "pkg:pypi/pymupdf@1.26.4",
"UID": "1465de1940e199ba"
},
"Version": "1.26.4",
"Locations": [
{
"StartLine": 8,
"EndLine": 8
}
],
"AnalyzedBy": "pip"
},
{
"Name": "PyPDF2",
"Identifier": {
"PURL": "pkg:pypi/pypdf2@3.0.1",
"UID": "64bb71618f358be1"
},
"Version": "3.0.1",
"Locations": [
{
"StartLine": 23,
"EndLine": 23
}
],
"AnalyzedBy": "pip"
},
{
"Name": "aiofiles",
"Identifier": {
"PURL": "pkg:pypi/aiofiles@24.1.0",
"UID": "8296f2fab03307cf"
},
"Version": "24.1.0",
"Locations": [
{
"StartLine": 15,
"EndLine": 15
}
],
"AnalyzedBy": "pip"
},
{
"Name": "aiohttp",
"Identifier": {
"PURL": "pkg:pypi/aiohttp@3.13.0",
"UID": "27ca1175e693e959"
},
"Version": "3.13.0",
"Locations": [
{
"StartLine": 14,
"EndLine": 14
}
],
"AnalyzedBy": "pip"
},
{
"Name": "boto3",
"Identifier": {
"PURL": "pkg:pypi/boto3@1.40.30",
"UID": "f964a8b27c243d70"
},
"Version": "1.40.30",
"Locations": [
{
"StartLine": 16,
"EndLine": 16
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.124.4",
"UID": "6cf9ee53cb3f4582"
},
"Version": "0.124.4",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "google-generativeai",
"Identifier": {
"PURL": "pkg:pypi/google-generativeai@0.8.5",
"UID": "b6e8abfd9757117a"
},
"Version": "0.8.5",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "motor",
"Identifier": {
"PURL": "pkg:pypi/motor@3.7.1",
"UID": "89388599636f86dd"
},
"Version": "3.7.1",
"Locations": [
{
"StartLine": 13,
"EndLine": 13
}
],
"AnalyzedBy": "pip"
},
{
"Name": "nltk",
"Identifier": {
"PURL": "pkg:pypi/nltk@3.9.2",
"UID": "272145d2e23dbea8"
},
"Version": "3.9.2",
"Locations": [
{
"StartLine": 25,
"EndLine": 25
}
],
"AnalyzedBy": "pip"
},
{
"Name": "numpy",
"Identifier": {
"PURL": "pkg:pypi/numpy@1.26.4",
"UID": "c98e40357658d084"
},
"Version": "1.26.4",
"Locations": [
{
"StartLine": 18,
"EndLine": 18
}
],
"AnalyzedBy": "pip"
},
{
"Name": "opencv-python",
"Identifier": {
"PURL": "pkg:pypi/opencv-python@4.11.0.86",
"UID": "43d876fe4f8aef2e"
},
"Version": "4.11.0.86",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "paddleocr",
"Identifier": {
"PURL": "pkg:pypi/paddleocr@2.9.1",
"UID": "b7a1826e6a2f27c1"
},
"Version": "2.9.1",
"Locations": [
{
"StartLine": 28,
"EndLine": 28
}
],
"AnalyzedBy": "pip"
},
{
"Name": "paddlepaddle",
"Identifier": {
"PURL": "pkg:pypi/paddlepaddle@2.6.2",
"UID": "b3eeb6957634d6eb"
},
"Version": "2.6.2",
"Locations": [
{
"StartLine": 29,
"EndLine": 29
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pandas",
"Identifier": {
"PURL": "pkg:pypi/pandas@2.3.2",
"UID": "ff349b72bb0f8c63"
},
"Version": "2.3.2",
"Locations": [
{
"StartLine": 20,
"EndLine": 20
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pillow",
"Identifier": {
"PURL": "pkg:pypi/pillow@10.4.0",
"UID": "8ece9cabfd6a7e63"
},
"Version": "10.4.0",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pydantic",
"Identifier": {
"PURL": "pkg:pypi/pydantic@2.11.8",
"UID": "a1673c428f72e582"
},
"Version": "2.11.8",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pymongo",
"Identifier": {
"PURL": "pkg:pypi/pymongo@4.15.0",
"UID": "713ae067a3363679"
},
"Version": "4.15.0",
"Locations": [
{
"StartLine": 12,
"EndLine": 12
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pytesseract",
"Identifier": {
"PURL": "pkg:pypi/pytesseract@0.3.13",
"UID": "834d458c2d3eac1d"
},
"Version": "0.3.13",
"Locations": [
{
"StartLine": 30,
"EndLine": 30
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.1.1",
"UID": "8897a3d7e1b78604"
},
"Version": "1.1.1",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "requests",
"Identifier": {
"PURL": "pkg:pypi/requests@2.32.5",
"UID": "d20e69427937d4a9"
},
"Version": "2.32.5",
"Locations": [
{
"StartLine": 17,
"EndLine": 17
}
],
"AnalyzedBy": "pip"
},
{
"Name": "scipy",
"Identifier": {
"PURL": "pkg:pypi/scipy@1.16.2",
"UID": "672f778c71f4e708"
},
"Version": "1.16.2",
"Locations": [
{
"StartLine": 19,
"EndLine": 19
}
],
"AnalyzedBy": "pip"
},
{
"Name": "transformers",
"Identifier": {
"PURL": "pkg:pypi/transformers@4.57.6",
"UID": "31919b690f740ca"
},
"Version": "4.57.6",
"Locations": [
{
"StartLine": 24,
"EndLine": 24
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.35.0",
"UID": "161d3f5ee964afe6"
},
"Version": "0.35.0",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2023-36464",
"VendorIDs": [
"GHSA-4vvm-4w3v-6mr8"
],
"PkgName": "PyPDF2",
"PkgIdentifier": {
"PURL": "pkg:pypi/pypdf2@3.0.1",
"UID": "64bb71618f358be1"
},
"InstalledVersion": "3.0.1",
"Status": "affected",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-36464",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:6a4c2c78259510fcc21b33bbb557eaa0ddc68667a3d69626c34de5ed0805f675",
"Title": "pypdf: Possible Infinite Loop when a comment isn't followed by a character",
"Description": "pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line `while peek not in (b\"\\r\", b\"\\n\")` in `pypdf/generic/_data_structures.py` to `while peek not in (b\"\\r\", b\"\\n\", b\"\")`.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-835"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.2
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"V3Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 6.2
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2023-36464",
"https://github.com/py-pdf/pypdf",
"https://github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932",
"https://github.com/py-pdf/pypdf/pull/1828",
"https://github.com/py-pdf/pypdf/pull/969",
"https://github.com/py-pdf/pypdf/releases/tag/3.9.0",
"https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8",
"https://nvd.nist.gov/vuln/detail/CVE-2023-36464",
"https://www.cve.org/CVERecord?id=CVE-2023-36464"
],
"PublishedDate": "2023-06-27T22:15:11.79Z",
"LastModifiedDate": "2024-11-21T08:09:45.95Z"
},
{
"VulnerabilityID": "CVE-2025-69223",
"VendorIDs": [
"GHSA-6mq8-rvhq-8wgg"
],
"PkgName": "aiohttp",
"PkgIdentifier": {
"PURL": "pkg:pypi/aiohttp@3.13.0",
"UID": "27ca1175e693e959"
},
"InstalledVersion": "3.13.0",
"FixedVersion": "3.13.3",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69223",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:f1ef28b6e36d9f36ee6aae2041c6c8abcd1e10f9debd026f1d432aeab734339d",
"Title": "aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb",
"Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.",
"Severity": "HIGH",
"CweIDs": [
"CWE-409",
"CWE-770"
],
"VendorSeverity": {
"ghsa": 3,
"redhat": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-69223",
"https://github.com/aio-libs/aiohttp",
"https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a",
"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg",
"https://nvd.nist.gov/vuln/detail/CVE-2025-69223",
"https://ubuntu.com/security/notices/USN-8032-1",
"https://www.cve.org/CVERecord?id=CVE-2025-69223"
],
"PublishedDate": "2026-01-05T22:15:53.017Z",
"LastModifiedDate": "2026-01-14T19:11:07.5Z"
},
{
"VulnerabilityID": "CVE-2025-69227",
"VendorIDs": [
"GHSA-jj3x-wxrx-4x23"
],
"PkgName": "aiohttp",
"PkgIdentifier": {
"PURL": "pkg:pypi/aiohttp@3.13.0",
"UID": "27ca1175e693e959"
},
"InstalledVersion": "3.13.0",
"FixedVersion": "3.13.3",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69227",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:a0db29465b37d56f8632fbd235b203ee12f54983645c73af20bf0bc26cb2455b",
"Title": "aiohttp: aiohttp: Denial of Service via specially crafted POST request",
"Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-835"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"V40Score": 6.6
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-69227",
"https://github.com/aio-libs/aiohttp",
"https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259",
"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23",
"https://nvd.nist.gov/vuln/detail/CVE-2025-69227",
"https://ubuntu.com/security/notices/USN-8032-1",
"https://www.cve.org/CVERecord?id=CVE-2025-69227"
],
"PublishedDate": "2026-01-06T00:15:48.053Z",
"LastModifiedDate": "2026-01-14T19:16:56.1Z"
},
{
"VulnerabilityID": "CVE-2025-69228",
"VendorIDs": [
"GHSA-6jhg-hg63-jvvf"
],
"PkgName": "aiohttp",
"PkgIdentifier": {
"PURL": "pkg:pypi/aiohttp@3.13.0",
"UID": "27ca1175e693e959"
},
"InstalledVersion": "3.13.0",
"FixedVersion": "3.13.3",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69228",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:d311859edd69c484caea1a8aee729b7e0cecf42837c0f63a3f4779d4f2cd22a7",
"Title": "aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request",
"Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 3,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"V40Score": 6.6
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"V3Score": 6.8
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-69228",
"https://github.com/aio-libs/aiohttp",
"https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60",
"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf",
"https://nvd.nist.gov/vuln/detail/CVE-2025-69228",
"https://ubuntu.com/security/notices/USN-8032-1",
"https://www.cve.org/CVERecord?id=CVE-2025-69228"
],
"PublishedDate": "2026-01-06T00:15:48.203Z",
"LastModifiedDate": "2026-01-14T19:17:21.547Z"
},
{
"VulnerabilityID": "CVE-2025-69229",
"VendorIDs": [
"GHSA-g84x-mcqj-x9qq"
],
"PkgName": "aiohttp",
"PkgIdentifier": {
"PURL": "pkg:pypi/aiohttp@3.13.0",
"UID": "27ca1175e693e959"
},
"InstalledVersion": "3.13.0",
"FixedVersion": "3.13.3",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69229",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:6fd7a9525ddaf50d0f4ee5926ff7d4967cc35e024e3cf0faefd8222827c0a364",
"Title": "aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling",
"Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"V40Score": 6.6
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"V3Score": 5.8
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-69229",
"https://github.com/aio-libs/aiohttp",
"https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229",
"https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712",
"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq",
"https://nvd.nist.gov/vuln/detail/CVE-2025-69229",
"https://ubuntu.com/security/notices/USN-8032-1",
"https://www.cve.org/CVERecord?id=CVE-2025-69229"
],
"PublishedDate": "2026-01-06T00:15:48.347Z",
"LastModifiedDate": "2026-02-13T18:55:03.527Z"
},
{
"VulnerabilityID": "CVE-2025-14009",
"VendorIDs": [
"GHSA-7p94-766c-hgjp"
],
"PkgName": "nltk",
"PkgIdentifier": {
"PURL": "pkg:pypi/nltk@3.9.2",
"UID": "272145d2e23dbea8"
},
"InstalledVersion": "3.9.2",
"Status": "affected",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-14009",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:64991eecc67ce139d8abc7c17d02266dfe13b57a5d7cff3e5f508ac08f08ff30",
"Title": "nltk: Zip Slip Vulnerability in nltk Leading to Code Execution",
"Description": "A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-94"
],
"VendorSeverity": {
"ghsa": 4,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 10
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.8
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-14009",
"https://github.com/nltk/nltk",
"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18",
"https://github.com/nltk/nltk/pull/3468",
"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4",
"https://nvd.nist.gov/vuln/detail/CVE-2025-14009",
"https://www.cve.org/CVERecord?id=CVE-2025-14009"
],
"PublishedDate": "2026-02-18T18:24:19.41Z",
"LastModifiedDate": "2026-02-19T15:53:02.85Z"
},
{
"VulnerabilityID": "CVE-2026-25990",
"VendorIDs": [
"GHSA-cfh3-3jmp-rvhc"
],
"PkgName": "pillow",
"PkgIdentifier": {
"PURL": "pkg:pypi/pillow@10.4.0",
"UID": "8ece9cabfd6a7e63"
},
"InstalledVersion": "10.4.0",
"FixedVersion": "12.1.1",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25990",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:67785a1237f7cb878f419dabf2cb7353b76058df6e6526cb6a79f261056ac041",
"Title": "pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image",
"Description": "Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"bitnami": 3,
"ghsa": 3,
"nvd": 3,
"redhat": 3,
"ubuntu": 2
},
"CVSS": {
"bitnami": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"V40Score": 8.9
},
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"V40Score": 8.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2026/02/12/1",
"https://access.redhat.com/security/cve/CVE-2026-25990",
"https://github.com/python-pillow/Pillow",
"https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199",
"https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa",
"https://github.com/python-pillow/Pillow/pull/9427",
"https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc",
"https://nvd.nist.gov/vuln/detail/CVE-2026-25990",
"https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html",
"https://ubuntu.com/security/notices/USN-8047-1",
"https://www.cve.org/CVERecord?id=CVE-2026-25990"
],
"PublishedDate": "2026-02-11T21:16:20.67Z",
"LastModifiedDate": "2026-02-13T21:32:55.623Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS-0029",
"Title": "'apt-get' missing '--no-install-recommends'",
"Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.",
"Message": "'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y libgl1 libglib2.0-0 tesseract-ocr && rm -rf /var/lib/apt/lists/*'",
"Namespace": "builtin.dockerfile.DS029",
"Query": "data.builtin.dockerfile.DS029.deny",
"Resolution": "Add '--no-install-recommends' flag to 'apt-get'",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0029",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds-0029"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 4,
"EndLine": 8,
"Code": {
"Lines": [
{
"Number": 4,
"Content": "RUN apt-get update && apt-get install -y \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m apt-get install -y \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 5,
"Content": " libgl1 \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m libgl1 \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 6,
"Content": " libglib2.0-0 \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m libglib2.0-0 \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " tesseract-ocr \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m tesseract-ocr \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " && rm -rf /var/lib/apt/lists/*",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm -rf /var/lib/apt/lists/*",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
},
{
"Target": "security-reports/gitleaks-report.json",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 9,
"EndLine": 9,
"Code": {
"Lines": [
{
"Number": 7,
"Content": " \"StartColumn\": 32,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"StartColumn\": 32,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 8,
"Content": " \"EndColumn\": 71,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"EndColumn\": 71,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " \"Match\": \"****************************************\",",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Match\": \"****************************************\",",
"FirstCause": true,
"LastCause": true
},
{
"Number": 10,
"Content": " \"Secret\": \"****************************************\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Secret\": \"****************************************\",",
"FirstCause": false,
"LastCause": false
}
]
},
"Match": " \"Match\": \"****************************************\",",
"Offset": 265
},
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 10,
"EndLine": 10,
"Code": {
"Lines": [
{
"Number": 8,
"Content": " \"EndColumn\": 71,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"EndColumn\": 71,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " \"Match\": \"****************************************\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Match\": \"****************************************\",",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " \"Secret\": \"****************************************\",",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Secret\": \"****************************************\",",
"FirstCause": true,
"LastCause": true
},
{
"Number": 11,
"Content": " \"File\": \".gitmodules\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"File\": \".gitmodules\",",
"FirstCause": false,
"LastCause": false
}
]
},
"Match": " \"Secret\": \"****************************************\",",
"Offset": 321
}
]
}
]
}