Skip to content

Security Review — 2026-07-12 — security-clean#142

Open
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-07-12
Open

Security Review — 2026-07-12 — security-clean#142
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-07-12

Conversation

@jdrumgoole

Copy link
Copy Markdown
Owner

Summary

Daily automated security audit — clean bill of health.

  • 0 CRITICAL, 0 WARNING, 39 INFO findings
  • No application code changes since last review (2026-07-09)
  • All dependency versions unchanged in lockfile

Changes from previous review

  • INFO-38 updated: Added 2 newly disclosed Pillow CVEs (CVE-2026-55379 BDF font memory exhaustion, CVE-2026-55798 Windows ImageShow command injection). Neither exploitable in WineBox — only JPEG/PNG/GIF/WebP accepted, runs on Linux.
  • INFO-39 added (new): Inconsistent escapeHtml() usage in client-side JavaScript — several locations in app.js interpolate server data into innerHTML without escaping. Mitigated by CSP (script-src 'self' blocks inline scripts). Highest-risk vector is self-XSS via crafted CSV import data.

Top 3 priorities

  1. Batch dependency upgrade (cryptography, python-multipart, PyJWT, Pillow) — closes 13 CVEs
  2. Coordinated FastAPI + Starlette upgrade — closes 4 Starlette CVEs
  3. Fix price-tracker.js and app.js escaping gaps — easy wins for defence-in-depth

Generated by Claude Code

Daily security audit: 0 CRITICAL, 0 WARNING, 39 INFO findings.
No code changes since last review. INFO-38 updated with 2 new
Pillow CVEs (not exploitable). New INFO-39 for inconsistent
client-side escapeHtml() usage (mitigated by CSP).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LghZUFhd3qBmtM57RLPhX8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants