SECR-002: Vulnerable Third-Party Dependencies ¶
1 Status ¶
| Date | Status | |
|---|---|---|
| 02-07-2026 | Identified | |
| ▶ | 04-07-2026 | Analysed |
2 Threat ¶
An attacker exploits a publicly known vulnerability in one of the product's outdated third-party libraries.
3 Vulnerability ¶
Dependencies are pinned once per release and never rescanned; the current lock file contains libraries with published advisories.
4 CVSS Vector ¶
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5 CVSS Score ¶
6 Mitigation ¶
Add a dependency audit to the build that fails on any advisory at High or above, and schedule a monthly update window for the rest.
7 Monitoring ¶
The audit report is attached to every release; advisories arriving between releases are triaged within one working day.