Vulnerability Reportanchore/syft:v1.42.3

anchore/syft:v1.42.3

DIGESTsha256:5999d209a342e55e9edf70bf8930fb5b86d8f2a783fa401178372c50e21b1d36

Executive Summary

Threat ScoreSAFE• Trusted image from popular community publisher (anchore) with 9M+ pulls and pinned by digest• No exposed surface or post-exploit vulnerabilities identified in top findings• All 25 exposed vulnerabilities are low severity (max 5.95), none above 6.0• 9 post-exploit findings are even lower severity (max 2.94)

0/100SAFE

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is safe for production use. While there are 25 low-severity vulnerabilities and 9 post-exploit findings, none exceed a severity of 5.95, and no high-impact issues are present. The image's strong reputation and immutability further reduce risk.

Vulnerabilities

Vulnerability Log

34 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33810	MEDIUM5.58	stdlib v1.26.1 fixed in 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32282	MEDIUM5.44	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM5.1	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.0	0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32288	MEDIUM4.67	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45570	LOW2.94	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34986	LOW2.29	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Post-Exploit
CVE-2026-4660	LOW2.29	github.com/hashicorp/go-getter v1.8.5 fixed in 1.8.6	0.4% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-41506	LOW2.26	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.18.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-32289	LOW1.87	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0 fixed in 1.97.3	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.1 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable