It seems that PurlDB is currently using several dependencies that have not been updated in a while, some of which had vulnerabilities reported that may or may not be exploitable in the context of PurlDB. For instance, Django 5.1.13 is affected by CVE-2025-64459 and 5.1.x has reached EOL in December 2025. I would kindly ask you to review dependencies and update to current and supported versions.
Attached are potentially relevant vulnerabilities listed in VDR and VEX format, based on the SBOM that has been generated from the requirements.txt using cdxgen.
2026-03-16-purldb-vex.cdx.json
2026-03-16-purldb-vdr.cdx.json
2026-03-16-purldb-sbom-v7.1.0-patched.5.json
It seems that PurlDB is currently using several dependencies that have not been updated in a while, some of which had vulnerabilities reported that may or may not be exploitable in the context of PurlDB. For instance, Django 5.1.13 is affected by CVE-2025-64459 and 5.1.x has reached EOL in December 2025. I would kindly ask you to review dependencies and update to current and supported versions.
Attached are potentially relevant vulnerabilities listed in VDR and VEX format, based on the SBOM that has been generated from the requirements.txt using cdxgen.
2026-03-16-purldb-vex.cdx.json
2026-03-16-purldb-vdr.cdx.json
2026-03-16-purldb-sbom-v7.1.0-patched.5.json