Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| HIGH | CVE-2026-25990 | pillow | 11.1.0 | 12.1.1 | pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image |
| Type | File | Line | Match |
|---|---|---|---|
| GitHub | security-reports/gitleaks-report.json | 30 | "Match": "**************************************... |
| GitHub | security-reports/gitleaks-report.json | 31 | "Secret": "*************************************... |
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS-0029 | 'apt-get' missing '--no-install-recommends' | Dockerfile | '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y software-propert |
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019c9e9e-4ffa-75c9-a80a-ed66cb732d1f",
"CreatedAt": "2026-02-27T10:21:41.242382942Z",
"ArtifactID": "sha256:1002da50d56f33c5b59d7f021c6c455b4601f18c908f51169fede2e88d872596",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-llava-inference.git",
"Branch": "ldev",
"Commit": "017498561e8b5179ec1d8e9863b094a487459b97",
"CommitMsg": "Update Dockerfile",
"Author": "Karthik <karthik.byroni@eizen.ai>",
"Committer": "GitHub <noreply@github.com>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.1.6",
"UID": "45848c8e63c496a9"
},
"Version": "3.1.6",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "MarkupSafe",
"Identifier": {
"PURL": "pkg:pypi/markupsafe@3.0.2",
"UID": "f895013f25d2efed"
},
"Version": "3.0.2",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "PyYAML",
"Identifier": {
"PURL": "pkg:pypi/pyyaml@6.0.2",
"UID": "636f893cbfa7b0d0"
},
"Version": "6.0.2",
"Locations": [
{
"StartLine": 20,
"EndLine": 20
}
],
"AnalyzedBy": "pip"
},
{
"Name": "accelerate",
"Identifier": {
"PURL": "pkg:pypi/accelerate@1.4.0",
"UID": "1d27dd4aaa476b2a"
},
"Version": "1.4.0",
"Locations": [
{
"StartLine": 1,
"EndLine": 1
}
],
"AnalyzedBy": "pip"
},
{
"Name": "av",
"Identifier": {
"PURL": "pkg:pypi/av@14.0.1",
"UID": "56bc1f7810afb5c1"
},
"Version": "14.0.1",
"Locations": [
{
"StartLine": 19,
"EndLine": 19
}
],
"AnalyzedBy": "pip"
},
{
"Name": "bitsandbytes",
"Identifier": {
"PURL": "pkg:pypi/bitsandbytes@0.45.3",
"UID": "bbde0980765a80aa"
},
"Version": "0.45.3",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "boto3",
"Identifier": {
"PURL": "pkg:pypi/boto3@1.36.4",
"UID": "8321b987d454501e"
},
"Version": "1.36.4",
"Locations": [
{
"StartLine": 35,
"EndLine": 35
}
],
"AnalyzedBy": "pip"
},
{
"Name": "certifi",
"Identifier": {
"PURL": "pkg:pypi/certifi@2025.1.31",
"UID": "f106f17482c90b34"
},
"Version": "2025.1.31",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
},
{
"Name": "charset-normalizer",
"Identifier": {
"PURL": "pkg:pypi/charset-normalizer@3.4.1",
"UID": "5fead1ef624ac1ee"
},
"Version": "3.4.1",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.115.6",
"UID": "f18968a786ec127a"
},
"Version": "0.115.6",
"Locations": [
{
"StartLine": 33,
"EndLine": 33
}
],
"AnalyzedBy": "pip"
},
{
"Name": "filelock",
"Identifier": {
"PURL": "pkg:pypi/filelock@3.20.3",
"UID": "b354872985017c13"
},
"Version": "3.20.3",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fsspec",
"Identifier": {
"PURL": "pkg:pypi/fsspec@2025.2.0",
"UID": "19a9723e8c3a4914"
},
"Version": "2025.2.0",
"Locations": [
{
"StartLine": 6,
"EndLine": 6
}
],
"AnalyzedBy": "pip"
},
{
"Name": "huggingface-hub",
"Identifier": {
"PURL": "pkg:pypi/huggingface-hub@0.30.2",
"UID": "54aeed72c718eb21"
},
"Version": "0.30.2",
"Locations": [
{
"StartLine": 7,
"EndLine": 7
}
],
"AnalyzedBy": "pip"
},
{
"Name": "idna",
"Identifier": {
"PURL": "pkg:pypi/idna@3.10",
"UID": "6891a2dd71220feb"
},
"Version": "3.10",
"Locations": [
{
"StartLine": 8,
"EndLine": 8
}
],
"AnalyzedBy": "pip"
},
{
"Name": "mpmath",
"Identifier": {
"PURL": "pkg:pypi/mpmath@1.3.0",
"UID": "13c983e4933de005"
},
"Version": "1.3.0",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "networkx",
"Identifier": {
"PURL": "pkg:pypi/networkx@3.4.2",
"UID": "52896dc3bc68b9a3"
},
"Version": "3.4.2",
"Locations": [
{
"StartLine": 12,
"EndLine": 12
}
],
"AnalyzedBy": "pip"
},
{
"Name": "numpy",
"Identifier": {
"PURL": "pkg:pypi/numpy@1.26.4",
"UID": "ba92d258395ca464"
},
"Version": "1.26.4",
"Locations": [
{
"StartLine": 13,
"EndLine": 13
}
],
"AnalyzedBy": "pip"
},
{
"Name": "opencv-python",
"Identifier": {
"PURL": "pkg:pypi/opencv-python@4.11.0.86",
"UID": "aa1f16ca3518f21"
},
"Version": "4.11.0.86",
"Locations": [
{
"StartLine": 14,
"EndLine": 14
}
],
"AnalyzedBy": "pip"
},
{
"Name": "packaging",
"Identifier": {
"PURL": "pkg:pypi/packaging@24.2",
"UID": "30ec11158bb14c27"
},
"Version": "24.2",
"Locations": [
{
"StartLine": 15,
"EndLine": 15
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pillow",
"Identifier": {
"PURL": "pkg:pypi/pillow@11.1.0",
"UID": "eb567629c33246d"
},
"Version": "11.1.0",
"Locations": [
{
"StartLine": 16,
"EndLine": 16
}
],
"AnalyzedBy": "pip"
},
{
"Name": "protobuf",
"Identifier": {
"PURL": "pkg:pypi/protobuf@5.29.6",
"UID": "f0bf2233e8495cac"
},
"Version": "5.29.6",
"Locations": [
{
"StartLine": 17,
"EndLine": 17
}
],
"AnalyzedBy": "pip"
},
{
"Name": "psutil",
"Identifier": {
"PURL": "pkg:pypi/psutil@7.0.0",
"UID": "c8679f5530f73935"
},
"Version": "7.0.0",
"Locations": [
{
"StartLine": 18,
"EndLine": 18
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.0.1",
"UID": "18f0b9160a0a9621"
},
"Version": "1.0.1",
"Locations": [
{
"StartLine": 36,
"EndLine": 36
}
],
"AnalyzedBy": "pip"
},
{
"Name": "regex",
"Identifier": {
"PURL": "pkg:pypi/regex@2024.11.6",
"UID": "e49cc5c7093b8bc"
},
"Version": "2024.11.6",
"Locations": [
{
"StartLine": 21,
"EndLine": 21
}
],
"AnalyzedBy": "pip"
},
{
"Name": "requests",
"Identifier": {
"PURL": "pkg:pypi/requests@2.32.4",
"UID": "ee373a7879a5fd81"
},
"Version": "2.32.4",
"Locations": [
{
"StartLine": 22,
"EndLine": 22
}
],
"AnalyzedBy": "pip"
},
{
"Name": "safetensors",
"Identifier": {
"PURL": "pkg:pypi/safetensors@0.5.3",
"UID": "f2e646a3aaa73c55"
},
"Version": "0.5.3",
"Locations": [
{
"StartLine": 23,
"EndLine": 23
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sentencepiece",
"Identifier": {
"PURL": "pkg:pypi/sentencepiece@0.2.1",
"UID": "1e95547124ca2b77"
},
"Version": "0.2.1",
"Locations": [
{
"StartLine": 24,
"EndLine": 24
}
],
"AnalyzedBy": "pip"
},
{
"Name": "setuptools",
"Identifier": {
"PURL": "pkg:pypi/setuptools@78.1.1",
"UID": "70c3b4d61bc08e76"
},
"Version": "78.1.1",
"Locations": [
{
"StartLine": 25,
"EndLine": 25
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sympy",
"Identifier": {
"PURL": "pkg:pypi/sympy@1.13.3",
"UID": "248add41654cdbf1"
},
"Version": "1.13.3",
"Locations": [
{
"StartLine": 26,
"EndLine": 26
}
],
"AnalyzedBy": "pip"
},
{
"Name": "tokenizers",
"Identifier": {
"PURL": "pkg:pypi/tokenizers@0.21.0",
"UID": "3cddc1e294d0cc88"
},
"Version": "0.21.0",
"Locations": [
{
"StartLine": 27,
"EndLine": 27
}
],
"AnalyzedBy": "pip"
},
{
"Name": "torch",
"Identifier": {
"PURL": "pkg:pypi/torch@2.8.0",
"UID": "711c7365baaf63f5"
},
"Version": "2.8.0",
"Locations": [
{
"StartLine": 37,
"EndLine": 37
}
],
"AnalyzedBy": "pip"
},
{
"Name": "torchvision",
"Identifier": {
"PURL": "pkg:pypi/torchvision@0.23.0",
"UID": "6878c3499f8ea3ca"
},
"Version": "0.23.0",
"Locations": [
{
"StartLine": 38,
"EndLine": 38
}
],
"AnalyzedBy": "pip"
},
{
"Name": "tqdm",
"Identifier": {
"PURL": "pkg:pypi/tqdm@4.67.1",
"UID": "730b17a30984ec06"
},
"Version": "4.67.1",
"Locations": [
{
"StartLine": 28,
"EndLine": 28
}
],
"AnalyzedBy": "pip"
},
{
"Name": "transformers",
"Identifier": {
"PURL": "pkg:pypi/transformers@4.53.0",
"UID": "4804a06a7f61f194"
},
"Version": "4.53.0",
"Locations": [
{
"StartLine": 29,
"EndLine": 29
}
],
"AnalyzedBy": "pip"
},
{
"Name": "triton",
"Identifier": {
"PURL": "pkg:pypi/triton@3.4.0",
"UID": "65c486a5fad9c441"
},
"Version": "3.4.0",
"Locations": [
{
"StartLine": 30,
"EndLine": 30
}
],
"AnalyzedBy": "pip"
},
{
"Name": "typing_extensions",
"Identifier": {
"PURL": "pkg:pypi/typing-extensions@4.12.2",
"UID": "8329b8171a874ea8"
},
"Version": "4.12.2",
"Locations": [
{
"StartLine": 31,
"EndLine": 31
}
],
"AnalyzedBy": "pip"
},
{
"Name": "urllib3",
"Identifier": {
"PURL": "pkg:pypi/urllib3@2.6.3",
"UID": "4560629ed125df57"
},
"Version": "2.6.3",
"Locations": [
{
"StartLine": 32,
"EndLine": 32
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.34.0",
"UID": "6340421f539370a3"
},
"Version": "0.34.0",
"Locations": [
{
"StartLine": 34,
"EndLine": 34
}
],
"AnalyzedBy": "pip"
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2026-25990",
"VendorIDs": [
"GHSA-cfh3-3jmp-rvhc"
],
"PkgName": "pillow",
"PkgIdentifier": {
"PURL": "pkg:pypi/pillow@11.1.0",
"UID": "eb567629c33246d"
},
"InstalledVersion": "11.1.0",
"FixedVersion": "12.1.1",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25990",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:440623a7e74d8296321318d3e3bef465ca62ea5455bad4e36bbdcde93dae23a5",
"Title": "pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image",
"Description": "Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.",
"Severity": "HIGH",
"CweIDs": [
"CWE-787"
],
"VendorSeverity": {
"bitnami": 3,
"ghsa": 3,
"nvd": 3,
"redhat": 3,
"ubuntu": 2
},
"CVSS": {
"bitnami": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"V40Score": 8.9
},
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"V40Score": 8.9
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 7.3
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2026/02/12/1",
"https://access.redhat.com/security/cve/CVE-2026-25990",
"https://github.com/python-pillow/Pillow",
"https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199",
"https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa",
"https://github.com/python-pillow/Pillow/pull/9427",
"https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc",
"https://nvd.nist.gov/vuln/detail/CVE-2026-25990",
"https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html",
"https://ubuntu.com/security/notices/USN-8047-1",
"https://www.cve.org/CVERecord?id=CVE-2026-25990"
],
"PublishedDate": "2026-02-11T21:16:20.67Z",
"LastModifiedDate": "2026-02-13T21:32:55.623Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS-0029",
"Title": "'apt-get' missing '--no-install-recommends'",
"Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.",
"Message": "'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y software-properties-common && add-apt-repository ppa:deadsnakes/ppa && apt-get update && apt-get install -y python3.11 python3.11-dev python3.11-distutils python3.11-venv build-essential cmake ninja-build gcc g++ curl git ffmpeg libgl1 libglib2.0-0 && curl -sS https://bootstrap.pypa.io/get-pip.py | python3.11 && pip3.11 install --upgrade pip && apt-get clean && rm -rf /var/lib/apt/lists/*'",
"Namespace": "builtin.dockerfile.DS029",
"Query": "data.builtin.dockerfile.DS029.deny",
"Resolution": "Add '--no-install-recommends' flag to 'apt-get'",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0029",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds-0029"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 7,
"EndLine": 29,
"Code": {
"Lines": [
{
"Number": 7,
"Content": "RUN apt-get update && \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 8,
"Content": " apt-get install -y software-properties-common && \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m apt-get install -y software-properties-common \u001b[38;5;245m&&\u001b[0m \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 9,
"Content": " add-apt-repository ppa:deadsnakes/ppa && \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m add-apt-repository ppa:deadsnakes/ppa \u001b[38;5;245m&&\u001b[0m \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 10,
"Content": " apt-get update && \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " apt-get install -y \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m apt-get install -y \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 12,
"Content": " python3.11 \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m python3.11 \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " python3.11-dev \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m python3.11-dev \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": " python3.11-distutils \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m python3.11-distutils \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " python3.11-venv \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m python3.11-venv \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": true
},
{
"Number": 16,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
}
}
}
]
},
{
"Target": "security-reports/gitleaks-report.json",
"Class": "secret",
"Secrets": [
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 30,
"EndLine": 30,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " \"StartColumn\": 32,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"StartColumn\": 32,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " \"EndColumn\": 71,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"EndColumn\": 71,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " \"Match\": \"****************************************\",",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Match\": \"****************************************\",",
"FirstCause": true,
"LastCause": true
},
{
"Number": 31,
"Content": " \"Secret\": \"****************************************\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Secret\": \"****************************************\",",
"FirstCause": false,
"LastCause": false
}
]
},
"Match": " \"Match\": \"****************************************\",",
"Offset": 1150
},
{
"RuleID": "github-pat",
"Category": "GitHub",
"Severity": "CRITICAL",
"Title": "GitHub Personal Access Token",
"StartLine": 31,
"EndLine": 31,
"Code": {
"Lines": [
{
"Number": 29,
"Content": " \"EndColumn\": 71,",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"EndColumn\": 71,",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " \"Match\": \"****************************************\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Match\": \"****************************************\",",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " \"Secret\": \"****************************************\",",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"Secret\": \"****************************************\",",
"FirstCause": true,
"LastCause": true
},
{
"Number": 32,
"Content": " \"File\": \".gitmodules\",",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": " \"File\": \".gitmodules\",",
"FirstCause": false,
"LastCause": false
}
]
},
"Match": " \"Secret\": \"****************************************\",",
"Offset": 1206
}
]
}
]
}