Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
87 of your 230 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.31s · analysis 19.46s · 11.0 MB · GitHub API rate-limit (preflight)

AIDC-AI/Pixelle-Video

https://github.com/AIDC-AI/Pixelle-Video.git · scanned 2026-06-09 04:30 UTC (18 hours, 40 minutes ago) · 10 languages

1065 raw signals (206 security + 859 graph) 33rd percentile · Python · medium (20-100K LoC) System graph score 59 (lower by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 18 hours, 39 minutes ago · v5 · last Δ -0.1 (diff) · 287 actionable findings from 2 signal sources. 94 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
50.7
/100
Security checks
42
128 findings
System graph
59
100.0% cov · 159 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 23.2 0.25 5.80
testing_score 0.0 0.20 0.00
documentation_score 88.7 0.15 13.30
practices_score 77.0 0.15 11.55
code_quality 30.1 0.10 3.01
Overall 1.00 42.7
Severity distribution — click a segment to filter
Active filters: layer: software × excluding tests × Reset all
Severity: Critical 3 High 68 Medium 32 Low 66 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 128 System graph 159 Crowd 0 Layer: Software 89 Quality 142 Security 23 Cicd 10 Hardware 3 Frontend 1 Api 19
Scan summary Quality grade D (43/100). Dimensions: security 23, maintainability 60. 206 findings (71 security). 26,101 lines analyzed.

Showing 87 of 287 actionable findings. 381 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 authlib: GHSA-wvwj-cvrp-7pv5
Authlib JWS JWK Header Injection: Signature Verification Bypass
uv.lock
critical Security checks software dependencies conf 0.88 fastmcp: GHSA-vv7q-7jx5-f767
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
uv.lock
high Security checks software dependencies conf 0.88 authlib: GHSA-7432-952r-cw78
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
uv.lock
high Security checks software dependencies conf 0.88 authlib: GHSA-7wc2-qxgw-g8gg
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
uv.lock
high Security checks software dependencies conf 0.88 authlib: GHSA-m344-f55w-2m6j
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
uv.lock
high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-188
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attac…
uv.lock
high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-25
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
uv.lock
high Security checks software dependencies conf 0.88 cryptography: GHSA-r6ph-v2qm-q3c2
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
uv.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-35
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography woul…
uv.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-36
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in…
uv.lock
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.11-slim` not pinned by digest
`FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:3
high Security checks software dependencies conf 0.88 fastmcp: GHSA-rww4-4w9c-7733
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
uv.lock
high Security checks software dependencies conf 0.88 gitpython: GHSA-7545-fcxq-7j24
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository
uv.lock
high Security checks software dependencies conf 0.88 gitpython: GHSA-mv93-w799-cj2w
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
uv.lock
high Security checks software dependencies conf 0.88 gitpython: GHSA-v87r-6q3f-2j67
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
uv.lock
high Security checks software dependencies conf 0.88 gitpython: GHSA-x2qx-6953-8485
GitPython: Unsafe option check validates multi_options before shlex.split transformation
uv.lock
high Security checks software dependencies conf 0.88 lupa: GHSA-69v7-xpr6-6gjm
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
uv.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
uv.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
uv.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
uv.lock
high Security checks software dependencies conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
uv.lock
high Security checks software dependencies conf 0.88 protobuf: GHSA-7gcm-g887-7qv7
protobuf affected by a JSON recursion depth bypass
uv.lock
high Security checks software dependencies conf 0.88 pyarrow: PYSEC-2026-113
Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and Stri…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2025-183
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-120
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-176
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature ver…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
uv.lock
high Security checks software dependencies conf 0.88 python-multipart: GHSA-pp6c-gr5w-3c5g
python-multipart has Denial of Service via unbounded multipart part headers
uv.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
uv.lock
high Security checks software dependencies conf 0.88 tornado: GHSA-fqwm-6jpj-5wxc
Tornado has cookie attribute injection via .RequestHandler.set_cookie
uv.lock
high Security checks software dependencies conf 0.88 tornado: PYSEC-2026-140
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibilit…
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-142
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dr…
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
uv.lock
medium Security checks software dependencies conf 0.88 authlib: GHSA-w8p2-r796-3vmq
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
uv.lock
medium Security checks software dependencies conf 0.88 diskcache: GHSA-w8v5-vhqr-4h9v
DiskCache has unsafe pickle deserialization
uv.lock
medium Security checks software dependencies conf 0.88 fastmcp: GHSA-m8x7-r2rg-vh5g
FastMCP has a Command Injection vulnerability - Gemini CLI
uv.lock
medium Security checks software dependencies conf 0.88 2 occurrences idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
2 files, 2 locations
requirements-docs.txt
uv.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-5xmw-vc9v-4wf2
Pillow has a heap buffer overflow with nested list coordinates
uv.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
uv.lock
medium Security checks software dependencies conf 0.88 pymdown-extensions: GHSA-62q4-447f-wv8h
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path
requirements-docs.txt
medium Security checks software dependencies conf 0.88 pytest: GHSA-6w46-j5rx-g56g
pytest has vulnerable tmpdir handling
uv.lock
medium Security checks software dependencies conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
uv.lock
medium Security checks software dependencies conf 0.88 python-multipart: GHSA-mj87-hwqh-73pj
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
uv.lock
high Security checks software dependencies conf 0.70 3 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
3 files, 3 locations
docs/en/faq.md:12
docs/zh/faq.md:12
docs/zh/getting-started/installation.md:59
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
uv.lock
medium Security checks software dependencies conf 0.88 streamlit: GHSA-7p48-42j8-8846
Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)
uv.lock
medium Security checks software dependencies conf 0.88 tornado: GHSA-78cv-mqj4-43f7
Tornado has incomplete validation of cookie attributes
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
uv.lock
low Security checks software dependencies conf 0.88 pygments: GHSA-5239-wwwm-4pmq
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
uv.lock
low Security checks software dependencies conf 0.88 pymdown-extensions: GHSA-r6h4-mm7h-8pmq
PyMdown Extensions has a ReDOS bug in its Figure Capture extension
requirements-docs.txt
low System graph software Dead code conf 1.00 Possibly dead Python function: animation_source_label
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/pipelines/asset_based.py:371
low System graph software Dead code conf 1.00 Possibly dead Python function: duplicate_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:135
low System graph software Dead code conf 1.00 Possibly dead Python function: ensure_dir
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/os_util.py:186
low System graph software Dead code conf 1.00 Possibly dead Python function: execute_video_generation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/routers/video.py:211
low System graph software Dead code conf 1.00 Possibly dead Python function: export_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:206
low System graph software Dead code conf 1.00 Possibly dead Python function: frame_progress_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/pipelines/standard.py:377
low System graph software Dead code conf 1.00 Possibly dead Python function: generate_images
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/api_services/image_gpt.py:139
low System graph software Dead code conf 1.00 Possibly dead Python function: generate_narrations_from_content
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/content_generators.py:153
low System graph software Dead code conf 1.00 Possibly dead Python function: generate_video_prompts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/content_generators.py:372
low System graph software Dead code conf 1.00 Possibly dead Python function: generate_video_wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/service.py:260
low System graph software Dead code conf 1.00 Possibly dead Python function: image_prompt_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/pipelines/standard.py:189
low System graph software Dead code conf 1.00 Possibly dead Python function: make_task_progress_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/components/output_preview.py:314
low System graph software Dead code conf 1.00 Possibly dead Python function: regenerate_frame
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:178
low System graph software Dead code conf 1.00 Possibly dead Python function: reload
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/config/manager.py:71
low System graph software Dead code conf 1.00 Possibly dead Python function: replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/frame_html.py:291
low System graph software Dead code conf 1.00 Possibly dead Python function: report_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packaging/windows/build.py:128
low System graph software Dead code conf 1.00 Possibly dead Python function: save_bytes_to_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/os_util.py:160
low System graph software Dead code conf 1.00 Possibly dead Python function: split_image
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/api_services/image_processor.py:84
low System graph software Dead code conf 1.00 Possibly dead Python function: stitch_images
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/api_services/image_processor.py:111
low System graph software Dead code conf 1.00 Possibly dead Python function: task_exists
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/persistence.py:297
low System graph software Dead code conf 1.00 Possibly dead Python function: update_overall_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/components/output_preview.py:306
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: update_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
api/tasks/manager.py:181
web/components/output_preview.py:104
web/pipelines/asset_based.py:521
low System graph software Dead code conf 1.00 Possibly dead Python function: update_task_status
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/persistence.py:163
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/165367cf-223f-4f21-bba3-528fca54e0e5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/165367cf-223f-4f21-bba3-528fca54e0e5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.