Vulnerability Reportanchore/grype:v0.109.1

anchore/grype:v0.109.1

DIGESTsha256:5db068d57d48ee251726e6e2d4903f47a909371ed83b96ee4812d84a10288c65

Executive Summary

Threat ScoreSAFE• No high-severity vulnerabilities found (max severity 5.95).• All 26 exposed vulnerabilities are low severity (< 6.0).• Post-exploit vulnerabilities are minimal (max severity 2.94).• Image is from a trusted source (anchore, popular community, 8M+ pulls).• Image is pinned by digest, ensuring immutability.

0/100SAFE

ReputationPOPULAR COMMUNITY• High Reputation Community Image (8M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is safe for production use. It contains 26 exposed vulnerabilities and 14 post-exploit findings, all with low severity (max 5.95). No practical exploitation risk given the low CVSS scores and the container's limited attack surface. The image is from a reputable source and pinned by digest.

Vulnerabilities

Vulnerability Log

40 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32280	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-33811	LOW3.83	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45570	LOW2.94	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34040	LOW2.81	github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1	8.1% Low-Moderate Risk	Post-Exploit
CVE-2026-33186	LOW2.78	google.golang.org/grpc v1.76.0 fixed in 1.79.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-33997	LOW2.48	github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45022	LOW2.29	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34986	LOW2.29	github.com/go-jose/go-jose/v4 v4.1.2 fixed in 4.1.4	0.3% Theoretical Threat	Post-Exploit
CVE-2026-4660	LOW2.29	github.com/hashicorp/go-getter v1.8.4 fixed in 1.8.6	0.4% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-41506	LOW2.26	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.18.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42306	LOW2.2	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-32289	LOW1.87	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33481	NONE0	github.com/anchore/syft v1.42.2 fixed in 1.42.3	0.4% Theoretical Threat	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0 fixed in 1.97.3	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.1 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-41567	NONE0	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Not Applicable
CVE-2026-41568	NONE0	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable