Know every vulnerable
dependency you ship
Athrv SCA scans your open-source dependencies against the NVD, surfacing CVEs with CVSS scores, affected versions, and exact upgrade paths.
See every vulnerable package, instantly
CVE ID, CVSS score, installed version, and the exact version that fixes it — all in one view.
Real CVEs from a real scan
This is a subset of what a typical Python project scan looks like — 595 findings across Flask and Jinja2 alone.
| CVE ID | Severity | Package | Installed | Fixed In | CVSS | Vulnerability |
|---|---|---|---|---|---|---|
| CVE-2018-1000656 | HIGH | Flask | 0.12.2 | 0.12.3 | 7.5 | Denial of Service via crafted JSON file |
| CVE-2019-1010083 | HIGH | Flask | 0.12.2 | 1.0 | 7.5 | Unexpected memory usage via crafted encoded JSON data |
| CVE-2023-30861 | HIGH | Flask | 0.12.2 | 2.3.2 | 7.5 | Possible disclosure of permanent session cookie |
| CVE-2026-27205 | LOW | Flask | 0.12.2 | 3.1.3 | 4.3 | Information disclosure via improper caching of session data |
| CVE-2019-10906 | HIGH | Jinja2 | 2.10 | 2.10.1 | 8.6 | str.format_map allows sandbox escape |
| CVE-2020-28493 | MEDIUM | Jinja2 | 2.10 | 2.11.3 | 5.3 | ReDoS vulnerability in the urlize filter |
| CVE-2024-22195 | MEDIUM | Jinja2 | 2.10 | 3.1.3 | 5.4 | HTML attribute injection when passing user input as keys to xmlattr |
| CVE-2024-56326 | MEDIUM | Jinja2 | 2.10 | 3.1.5 | 7.8 | Sandbox breakout through indirect reference to format method |
Built for developers, not just security teams
Actionable output means developers can act on findings without a security expert translating them.
Scans your requirements.txt, package.json, pom.xml and more. Every transitive dependency is checked against the National Vulnerability Database.
Every finding links to the canonical CVE entry with CVSS score, description, affected versions, and recommended fix — no tab switching required.
"Fixed In" version shown for every finding so developers know exactly which version to upgrade to, not just that something is broken.
Drop into any pipeline. Block merges when critical CVEs appear, and auto-comment findings on pull requests.
Sort and filter by CVSS score so high-impact vulnerabilities surface first, not just the most recently discovered.
Track findings per target file. Export structured reports for compliance audits, client reviews, or internal security dashboards.
CVSS-driven prioritisation
Every CVE is scored and classified so your team always patches the highest-impact issues first.
Remote code execution, authentication bypass, full data exposure.
Denial of service, sandbox escape, sensitive data leakage.
ReDoS, information disclosure, injection via filter functions.
Improper caching, deprecated API usage, minor logic flaws.
From manifest to remediation
Four steps from dependency file to patched, verified code.
Drop in requirements.txt, package.json, pom.xml or any supported manifest. Scan triggers instantly.
Every package and version is cross-referenced against the National Vulnerability Database in real time.
Findings are scored with CVSS, classified by severity, and mapped to canonical CVE identifiers.
Follow the "Fixed In" version, upgrade the dependency, and re-scan to confirm the CVE is resolved.
Stop shipping known vulnerabilities
Run your first dependency scan in under 30 seconds. Free tier, no credit card required.