Vulnerability Reportanchore/syft:v1.44.0

anchore/syft:v1.44.0

DIGESTsha256:86fde6445b483d902fe011dd9f68c4987dd94e07da1e9edc004e3c2422650de6

Executive Summary

Threat ScoreSAFE• All 14 detected vulnerabilities have severity < 6.0 (max 5.1), posing negligible risk.• No high-severity (>=7.0) or medium-high (>=6.0) vulnerabilities found.• Post-exploit vulnerabilities (4) have max severity 2.94, requiring prior local access.• Image has high community trust (90/100) with 9.9M+ pulls and is pinned by digest.

0/100SAFE

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is safe for production use. While 14 low-severity vulnerabilities are present (max CVSS 5.1) and 4 post-exploit issues (max 2.94), none exceed the critical threshold and all require local access or non-default conditions. The image is widely used, pinned by digest, and has no exposed remote attack surface.

Vulnerabilities

Vulnerability Log

18 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45022	MEDIUM5.1	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.0	0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45570	LOW2.94	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.2 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable