Security Audit Flags Two High-Severity CVEs in paramiko and diskcache With No Available Fixes

A security audit conducted on 2026-05-09 has uncovered two high-severity vulnerabilities in critical dependencies—paramiko and diskcache—both currently lacking patched versions. The findings expose a significant gap in the dependency chain, with upstream maintainers yet to release fixes for the identified CVEs. The audit, performed against commit SHA 40bb06e, used pip-audit 2.10.0 and bandit 1.9.4 to scan the codebase, revealing a security posture that requires immediate attention despite the absence of critical-severity findings.

The two high-severity vulnerabilities are CVE-2026-44405 affecting paramiko 3.5.1, an SSH library, and CVE-2025-69872 affecting diskcache 5.6.3, a disk caching library. Both CVEs have no fix available at the time of the audit, creating a persistent exposure risk for any system relying on these packages. The paramiko vulnerability is particularly notable given the library's role in SSH operations, a common attack surface for unauthorized access and lateral movement. The audit recommends monitoring upstream repositories for patch releases, but until fixes are deployed, the vulnerabilities remain active liabilities in the dependency tree.

Beyond the high-severity CVEs, the audit recorded 11 medium and 365 low-severity findings from bandit, alongside seven major-version outdated dependencies and 19 additional outdated packages. No secrets were detected in the scan. The combination of unpatchable high-severity vulnerabilities and a large volume of lower-priority findings suggests a codebase under accumulated security pressure, with dependency maintenance emerging as a clear operational risk. Organizations consuming this codebase should assess their exposure to paramiko and diskcache, evaluate mitigation options such as dependency substitution or network-level controls, and track upstream advisories for patch availability.