← Scan another repo

github.com/anxolerd/dvpwa

Submitted 6/8/2026, 7:31:36 PM · Status: ok

Risk grade
F
100 / 100
Findings
146
4 critical11 high99 medium31 low1 info0 on CISA KEV0ATT&CK
Showing 146 of 146 findings

Findings

  • Improper Input Validation in PyYAML
    grype
  • PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
    grype
  • PyYAML: incomplete fix for CVE-2020-1747
    A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrust…
    trivy
  • PyYAML: yaml.load() API could execute arbitrary code
    In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
    trivy
  • aiohttp is vulnerable to directory traversal
    grype
  • aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
    grype
  • AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    grype
  • Jinja2 sandbox escape via string formatting
    grype
  • Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy prov
    Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For com…
    semgrep/tmp/scan-psc_7adddd155d9fc119d99e61cb108cd2ab/repo/sqli/dao/student.py:45
  • aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust …
    trivy
  • aiohttp: DoS when trying to parse malformed POST requests
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process …
    trivy
  • aiohttp: follow_symlinks directory traversal vulnerability
    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether…
    trivy
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivyDockerfile.app:0
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivyDockerfile.db:0
  • python-jinja2: str.format_map allows sandbox escape
    In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
    trivy

This report is public.