{"package":"github.com/dagu-org/dagu","ecosystem":"go","latest_version":"v1.30.3","description":"Self-hosted workflow engine for scripts, cron jobs, containers, and ops automation. YAML workflows, retries, logs, approvals, and optional distributed workers.","license":"GPL-3.0","license_risk":"strong_copyleft","commercial_use_notes":"GPL-3.0: derivative works must release source under GPL; includes explicit patent grant.","homepage":"https://pkg.go.dev/github.com/dagu-org/dagu","repository":"https://github.com/dagu-org/dagu","downloads_weekly":3324,"health":{"score":41,"risk":"high","breakdown":{"maintenance":15,"popularity":6,"security":0,"maturity":15,"community":5},"deprecated":false,"max_score":100},"vulnerabilities":{"count":7,"critical":2,"high":1,"medium":0,"low":4,"details":[{"vuln_id":"GO-2026-4527","severity":"critical","summary":"Dagu affected by unauthenticated RCE via inline DAG spec in default configuration","affected_versions":"<=1.30.3","fixed_version":null,"source":"osv","published_at":"2026-02-19T22:04:39Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-31886","severity":"critical","summary":"Dagu: Path Traversal via `dagRunId` in Inline DAG Execution","affected_versions":"<=2.2.4","fixed_version":null,"source":"osv","published_at":"2026-03-13T15:40:11Z","in_kev":false,"epss_prob":0.0005,"epss_percentile":0.15363,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33344","severity":"high","summary":"Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG","affected_versions":">=1.30.4-0.20260221021317-e2ed589105d7,<1.30.4-0.20260319093346-7d07fda8f9de","fixed_version":"1.30.4-0.20260319093346-7d07fda8f9de","source":"osv","published_at":"2026-03-19T19:25:44Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07538,"threat_tier":"theoretical"},{"vuln_id":"GHSA-6qr9-g2xw-cw92","severity":"unknown","summary":"Dagu affected by unauthenticated RCE via inline DAG spec in default configuration in github.com/dagu-org/dagu","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-23T18:23:15Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-27598","severity":"unknown","summary":"Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory in github.com/dagu-org/dagu","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-25T23:07:04Z","in_kev":false,"epss_prob":0.0013,"epss_percentile":0.32061,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-31886","severity":"unknown","summary":"Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-13T19:53:03Z","in_kev":false,"epss_prob":0.0005,"epss_percentile":0.15363,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-33344","severity":"unknown","summary":"Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu","affected_versions":">=1.30.4-0.20260221021317-e2ed589105d7,<1.30.4-0.20260319093346-7d07fda8f9de","fixed_version":"1.30.4-0.20260319093346-7d07fda8f9de","source":"osv","published_at":"2026-03-23T18:16:14Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07538,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v1.30.3","total_count":219,"recent":["v1.7.4","v1.16.0","v1.0.1","v1.15.0","v1.26.0","v1.2.11","v1.1.0","v1.1.7","v1.8.4","v1.3.7","v1.3.12","v1.17.0-beta.12","v1.6.7","v1.22.6","v1.7.6","v1.16.5","v1.12.7","v1.24.8","v1.22.8","v1.3.16"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":74,"first_published":null,"last_published":"2026-01-04T11:22:59Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 high severity vulnerabilities","2 critical vulnerabilities"],"use_version":"v1.30.3","version_hint":"Update to >= 1.30.4-0.20260319093346-7d07fda8f9de to fix known vulnerabilities","summary":"github.com/dagu-org/dagu has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":924,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":1468,"last_release_days_ago":115,"avg_days_between_releases":77,"release_velocity":"moderate"}}