Vulnerability Reportanchore/grype:v0.110.0

anchore/grype:v0.110.0

DIGESTsha256:af65fbc0c664691067788fe95ff88760b435543e45595eb2ca6f102fc476fbe1

Executive Summary

Threat ScoreNEEDS ATTENTION• Single exposed vulnerability (CVE-2026-45570, severity 6.53) in go-git library affecting SSH transport• Vulnerability requires non-default SSH clone operation; not exploitable by default• Image is popular (8M+ pulls) and pinned by digest, ensuring immutability• No high-severity (>=7.0) vulnerabilities; post-exploit findings are minimal (max severity 2.81)

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (8M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The only notable vulnerability (CVE-2026-45570) in the go-git library could lead to remote code execution when cloning a malicious SSH repository, but this requires the container to be configured to perform SSH git clone operations, which is not the default. Using HTTPS instead of SSH fully mitigates this risk. Other reported vulnerabilities have low severity (max 2.81) and pose minimal threat.

Vulnerabilities

Vulnerability Log

38 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45570	MEDIUM6.53	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM5.1	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.0	0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34986	MEDIUM5.1	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4660	MEDIUM5.1	github.com/hashicorp/go-getter v1.8.5 fixed in 1.8.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41506	MEDIUM5.03	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.18.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-34040	LOW2.81	github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1	8.1% Low-Moderate Risk	Post-Exploit
CVE-2026-33997	LOW2.48	github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42306	LOW2.2	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-32289	LOW1.87	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0 fixed in 1.97.3	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.1 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-41567	NONE0	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Not Applicable
CVE-2026-41568	NONE0	github.com/docker/docker v28.5.2+incompatible No fix yet	0.1% Theoretical Threat	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable