Vulnerability Reportanchore/syft:v1.42.4

anchore/syft:v1.42.4

DIGESTsha256:e9f29bec38cc856bfd3a7966d2f99711b5b244a531bf121da9de3b47789eecfa

Executive Summary

Threat ScoreNEEDS ATTENTION• Image is from a popular community publisher (anchore) with 9.9M+ pulls and pinned by digest, ensuring immutability.• Contains 22 total vulnerabilities, but only one exposed surface vulnerability (CVE-2026-45570) with severity 6.53, which is moderate.• CVE-2026-45570 allows remote code execution during SSH repository cloning, but exploitation requires user interaction (cloning a malicious repo) and has low EPSS (0.36%).• 5 post-exploit vulnerabilities exist but all are low severity (max 2.29), posing negligible risk after initial compromise.• No official or verified publisher status, but high community trust mitigates supply chain risks.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The most notable finding, CVE-2026-45570, is a moderate-severity RCE in go-git's SSH transport that could be exploited if Syft clones a malicious repository via SSH—an action requiring user interaction and not a default operation. The image benefits from high community trust and is pinned by digest, ensuring no silent updates. Updating the go-git dependency to a patched version would eliminate the RCE risk. Note: CVE-2026-45570 only applies when SSH-based repository cloning is performed.

Vulnerabilities

Vulnerability Log

27 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45570	MEDIUM6.53	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM5.1	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.0	0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4660	MEDIUM5.1	github.com/hashicorp/go-getter v1.8.5 fixed in 1.8.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41506	MEDIUM5.03	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.18.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34986	LOW2.29	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/s3 v1.96.0 fixed in 1.97.3	—	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.1 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.17.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable