Home/cceval/Trust report

Trust and health report

cceval - trust report

Sourced, dated trust signals - maintenance label posture, repository provenance, and security scan status. Not a composite safety grade.

GraphCanon updated today · GitHub synced today

Maintenance

Recency and activity heuristics from public GitHub metadata (maintenance label, momentum); methodology: github_public_v1.

Slowing36% signal

last push 330d ago

Provenance

Repository identity and fork provenance (github_public_v1).

Security scan

Dependency advisory security scan when a lockfile is present. Not a full code audit.

Status
5 critical, 7 high, 8 medium, 21 low
Last scan
today
Scanner
osv@v1

Findings

vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server
vllm@0.3.3 · CVE-2026-34756 · requirements.txt
vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors
vllm@0.3.3 · CVE-2026-47155 · requirements.txt
Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching
vllm@0.3.3 · CVE-2025-46570 · requirements.txt
vLLM Deserialization of Untrusted Data vulnerability
vllm@0.3.3 · CVE-2024-11041 · requirements.txt
vLLM: OOM Denial of Service via Audio Decompression Bomb
vllm@0.3.3 · CVE-2026-54233 · requirements.txt
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
vllm@0.3.3 · CVE-2026-54235 · requirements.txt
vLLM vulnerable to remote code execution via transformers_utils/get_config
vllm@0.3.3 · CVE-2025-66448 · requirements.txt
vLLM: OpenAI auth bypass
vllm@0.3.3 · CVE-2026-48746 · requirements.txt
vllm has Improper Resource Shutdown or Release
vllm@0.3.3 · CVE-2026-9540 · requirements.txt
vLLM allows Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC server entrypoints
vllm@0.3.3 · CVE-2024-9053 · requirements.txt
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
vllm@0.3.3 · requirements.txt
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
vllm@0.3.3 · CVE-2026-54236 · requirements.txt
vLLM denial of service via outlines unbounded cache on disk
vllm@0.3.3 · CVE-2025-29770 · requirements.txt
vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object
vllm@0.3.3 · CVE-2024-9052 · requirements.txt
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
vllm@0.3.3 · CVE-2026-41523 · requirements.txt
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
vllm@0.3.3 · CVE-2026-24779 · requirements.txt
vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
vllm@0.3.3 · CVE-2025-24357 · requirements.txt
vLLM uses Python 3.12 built-in hash() which leads to predictable hash collisions in prefix cache
vllm@0.3.3 · CVE-2025-25183 · requirements.txt
vllm API endpoints vulnerable to Denial of Service Attacks
vllm@0.3.3 · CVE-2025-48956 · requirements.txt
vLLM denial of service vulnerability
vllm@0.3.3 · CVE-2024-8768 · requirements.txt
vLLM Denial of Service via the best_of parameter
vllm@0.3.3 · CVE-2024-8939 · requirements.txt
vLLM is vulnerable to timing attack at bearer auth
vllm@0.3.3 · CVE-2025-59425 · requirements.txt
vLLM makes Use of Uninitialized Resource
vllm@0.3.3 · CVE-2026-7141 · requirements.txt
PYSEC-2025-222
vllm@0.3.3 · CVE-2024-9053 · requirements.txt
PYSEC-2025-223
vllm@0.3.3 · CVE-2025-29770 · requirements.txt
PYSEC-2025-42
vllm@0.3.3 · CVE-2025-32444 · requirements.txt
PYSEC-2025-43
vllm@0.3.3 · CVE-2025-46722 · requirements.txt
PYSEC-2025-50
vllm@0.3.3 · CVE-2025-48887 · requirements.txt
PYSEC-2025-53
vllm@0.3.3 · CVE-2025-46570 · requirements.txt
PYSEC-2025-58
vllm@0.3.3 · CVE-2025-24357 · requirements.txt
PYSEC-2025-62
vllm@0.3.3 · CVE-2025-25183 · requirements.txt
vLLM vulnerable to remote code execution via transformers_utils/get_config
vllm@0.3.3 · CVE-2025-66448 · requirements.txt
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
vllm@0.3.3 · CVE-2026-24779 · requirements.txt
vllm API endpoints vulnerable to Denial of Service Attacks
vllm@0.3.3 · CVE-2025-48956 · requirements.txt
vLLM denial of service vulnerability
vllm@0.3.3 · CVE-2024-8768 · requirements.txt
vLLM Denial of Service via the best_of parameter
vllm@0.3.3 · CVE-2024-8939 · requirements.txt
vLLM is vulnerable to timing attack at bearer auth
vllm@0.3.3 · CVE-2025-59425 · requirements.txt
PYSEC-2026-226
vllm@0.3.3 · CVE-2026-48746 · requirements.txt
PYSEC-2026-227
vllm@0.3.3 · CVE-2026-54232 · requirements.txt
vLLM Deserialization of Untrusted Data vulnerability
vllm@0.3.3 · CVE-2024-11041 · requirements.txt
vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object
vllm@0.3.3 · CVE-2024-9052 · requirements.txt

Method and caveats:these are sourced, dated heuristics from public GitHub data and optional dependency scans. A status like "no criticals found on 2026-07-11" is not a guarantee of safety. Read the full trust methodology · JSON report at /api/graphcanon/tools/amazon-science-cceval/trust.

Common questions

Is cceval maintained?
GraphCanon rates cceval "Slowing" (36% maintenance signal from public GitHub metadata, computed today). Last push was 330 days ago. This is a recency heuristic, not a guarantee the project will stay maintained.
Is cceval safe to use?
Last scanned today (deps profile). Status: 5 critical, 7 high, 8 medium, 21 low - 5 critical, 7 high, 8 medium, 21 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report. GraphCanon does not certify cceval as safe - review maintenance, provenance, and scan findings on this page before adopting.
Is cceval a fork?
No. cceval is not flagged as a fork in GitHub metadata at the time of the last refresh.
Does cceval have known security vulnerabilities?
Last scanned today (deps profile). Status: 5 critical, 7 high, 8 medium, 21 low - 5 critical, 7 high, 8 medium, 21 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report.
How often is the cceval trust report updated?
Trust signals refresh on GitHub ingest/refresh cycles and optional dependency/MCP scans. This report was computed today (methodology github_public_v1).
What does GraphCanon never claim about cceval?
We never publish a composite safety grade, pen-test endorsement, or "verified secure" label for cceval. Signals are sourced heuristics with explicit limits - see trust methodology.
How does GraphCanon assess trust for cceval?
Signals are sourced from public GitHub metadata and optional dependency/MCP manifest scans, each tagged with methodology version and computed date. GraphCanon does not publish a composite safety grade. Read trust methodology for full scope and limits.