{"package":"github.com/dgraph-io/dgraph","ecosystem":"go","latest_version":"v1.2.8","description":"high-performance graph database for real-time use cases","license":"","license_risk":"unknown","commercial_use_notes":"No license declared in registry metadata — verify manually before commercial use.","homepage":"https://pkg.go.dev/github.com/dgraph-io/dgraph","repository":"https://github.com/dgraph-io/dgraph","downloads_weekly":21670,"health":{"score":38,"risk":"critical","breakdown":{"maintenance":0,"popularity":10,"security":0,"maturity":15,"community":13},"deprecated":false,"max_score":100},"vulnerabilities":{"count":5,"critical":4,"high":0,"medium":1,"low":0,"details":[{"vuln_id":"CVE-2023-31135","severity":"medium","summary":"Dgraph Audit Log Encryption Vulnerability","affected_versions":"<23.0.0","fixed_version":"23.0.0","source":"osv","published_at":"2023-05-17T17:07:40Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13865,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-40173","severity":"critical","summary":"Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints","affected_versions":"<25.3.2|<=24.1.7|<=1.2.8","fixed_version":"25.3.2","source":"osv","published_at":"2026-04-16T21:08:07Z","in_kev":false,"epss_prob":0.00118,"epss_percentile":0.30341,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-41327","severity":"critical","summary":"Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field","affected_versions":"<25.3.3|<=24.1.8|<=1.2.8","fixed_version":"25.3.3","source":"osv","published_at":"2026-04-24T15:41:21Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08979,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-34976","severity":"critical","summary":"Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization","affected_versions":"<25.3.1|<=24.0.5|<=1.2.8","fixed_version":"25.3.1","source":"osv","published_at":"2026-04-02T20:44:36Z","in_kev":false,"epss_prob":0.00095,"epss_percentile":0.26243,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-41328","severity":"critical","summary":"Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field","affected_versions":"<25.3.3|<=24.1.8|<=1.2.8","fixed_version":"25.3.3","source":"osv","published_at":"2026-04-24T15:41:42Z","in_kev":false,"epss_prob":0.00076,"epss_percentile":0.22612,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v1.2.8","total_count":111,"recent":["v0.8.2","v1.0.9-rc3","v1.0.9-vc","v1.0.13","v1.0.14","v1.0.15-rc4","v1.0.14-rc2","v1.0.1","v1.1.0","v1.0.7","v1.0.12-rc4","v1.0.15-rc6","v1.0.12-rc1","v0.4.2","v1.0.7-rc2","v1.0.9-rc1","v1.0.17","v0.9.4","v1.0.14-opencensus","v1.0.9-rc4"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":240,"first_published":null,"last_published":"2020-10-28T04:49:45Z","dependencies_count":0,"dependencies":[]},"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Low health score (38/100)","4 critical vulnerabilities"],"use_version":"v1.2.8","version_hint":"Update to >= 25.3.3 to fix known vulnerabilities","summary":"github.com/dgraph-io/dgraph has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":true,"bus_factor_3m":8,"active_contributors_12m":18,"primary_author_ratio":0.33,"owner_account_age_days":3892,"is_archived":false,"stars":21670,"alerts":[]},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false}}