Vulnerability Reportapache/zeppelin:0.12.1

apache/zeppelin:0.12.1

DIGESTsha256:ebb76b9b98f1b5457cd10c118fc6624269918a3602711a08d9f237673c0c0abb

Executive Summary

Threat ScoreDANGEROUS• Trusted community image (4M+ pulls) but contains 321 known vulnerabilities including 119 with severity >= 7.0.• Exposed surface includes critical sandbox bypass (CVE-2025-59340) in Jinjava, request smuggling (CVE-2017-7657) in Jetty, and remote code execution via SnakeYaml (CVE-2022-1471) and libwebp (CVE-2023-4863).• Maximum severity 10.0 and threat score 100 indicate extreme danger.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (4M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker can achieve remote code execution via crafted notebook templates (CVE-2025-59340), YAML parsing (CVE-2022-1471), or image upload (CVE-2023-4863), and can bypass authorization through HTTP request smuggling (CVE-2017-7657). Upgrading to patched versions (e.g., jinjava 2.8.1+, snakeyaml 2.0+, libwebp 1.3.2+) would eliminate these critical flaws. Note: Jackson deserialization issues (CVE-2019-16942, etc.) require Default Typing to be enabled, which may not be active by default in all deployments.

Vulnerabilities

Vulnerability Log

343 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-59340	CRITICAL10	com.hubspot.jinjava:jinjava 2.4.0 fixed in 2.8.1, 2.7.5	2.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-59340	CRITICAL10	com.hubspot.jinjava:jinjava 2.5.4 fixed in 2.8.1, 2.7.5	2.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2017-7657	CRITICAL10	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.2.25.v20180606, 9.3.24.v20180605	16.2% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2017-7658	CRITICAL10	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.2.25.v20180606, 9.3.24.v20180605, 9.4.11.v20180605	21.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2022-1471	CRITICAL10	org.yaml:snakeyaml 1.15 fixed in 2.0	99.6% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2023-4863	CRITICAL10	Pillow 9.2.0 fixed in 10.0.1	99.7% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2019-16942	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.1, 2.8.11.5, 2.6.7.3	5.7% Low-Moderate Risk	Directly Exposed
CVE-2019-16943	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.1, 2.8.11.5, 2.6.7.3	4.9% Low-Moderate Risk	Directly Exposed
CVE-2019-17267	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10, 2.8.11.5	4.6% Low-Moderate Risk	Directly Exposed
CVE-2019-17531	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.1, 2.8.11.5, 2.6.7.3	5.3% Low-Moderate Risk	Directly Exposed
CVE-2019-20330	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.2	8.6% Low-Moderate Risk	Directly Exposed
CVE-2020-9546	CRITICAL9.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	4.6% Low-Moderate Risk	Directly Exposed
CVE-2021-4104	CRITICAL9.75	log4j:log4j 1.2.17 No fix yet	81.1% Actively Exploited	Directly Exposed
CVE-2015-2080	CRITICAL9.75	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.2.9.v20150224	74.9% Actively Exploited	Directly Exposed
CVE-2021-28165	CRITICAL9.75	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.4.39, 10.0.2, 11.0.2	53.9% Actively Exploited	Directly Exposed
CVE-2020-35728	CRITICAL9.31	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	12.5% High Exploitation Risk	Directly Exposed
CVE-2020-36179	CRITICAL9.31	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	20.9% High Exploitation Risk	Directly Exposed
CVE-2020-36184	CRITICAL9.31	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	10.4% High Exploitation Risk	Directly Exposed
CVE-2020-36188	CRITICAL9.31	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	10.9% High Exploitation Risk	Directly Exposed
CVE-2020-7692	CRITICAL9.1	com.google.oauth-client:google-oauth-client 1.23.0 fixed in 1.31.0	1.6% Low-Moderate Risk	Directly Exposed
CVE-2020-7692	CRITICAL9.1	com.google.oauth-client:google-oauth-client 1.30.5 fixed in 1.31.0	1.6% Low-Moderate Risk	Directly Exposed
CVE-2019-20444	CRITICAL9.1	io.netty:netty 3.10.6.Final fixed in 4.0.0	8.7% Low-Moderate Risk	Directly Exposed
CVE-2023-44981	CRITICAL9.1	org.apache.zookeeper:zookeeper 3.5.5 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Directly Exposed
CVE-2023-44981	CRITICAL9.1	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Directly Exposed
CVE-2020-10672	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.0% Low-Moderate Risk	Directly Exposed
CVE-2020-10673	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4, 2.6.7.4	8.0% Low-Moderate Risk	Directly Exposed
CVE-2020-10968	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.6% Low-Moderate Risk	Directly Exposed
CVE-2020-10969	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.5% Low-Moderate Risk	Directly Exposed
CVE-2020-11111	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.5% Low-Moderate Risk	Directly Exposed
CVE-2020-11112	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.6% Low-Moderate Risk	Directly Exposed
CVE-2020-11113	HIGH8.8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	6.2% Low-Moderate Risk	Directly Exposed
CVE-2024-47561	HIGH8.8	org.apache.avro:avro 1.11.2 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-4759	HIGH8.8	org.eclipse.jgit:org.eclipse.jgit 4.5.4.201711221230-r fixed in 6.6.1.202309021850-r, 5.13.3.202401111512-r	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-39286	HIGH8.8	jupyter_core 4.11.1 fixed in 4.11.2	1.1% Low-Moderate Risk	Directly Exposed
CVE-2019-12086	HIGH8.62	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3	21.9% High Exploitation Risk	Directly Exposed
CVE-2019-14439	HIGH8.62	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.9.2, 2.8.11.4, 2.7.9.6, 2.6.7.3	10.8% High Exploitation Risk	Directly Exposed
CVE-2020-25649	HIGH8.62	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.6.7.4, 2.9.10.7, 2.10.5.1	17.6% High Exploitation Risk	Directly Exposed
CVE-2019-12402	HIGH8.62	org.apache.commons:commons-compress 1.18 fixed in 1.19	16.2% High Exploitation Risk	Directly Exposed
CVE-2021-35515	HIGH8.62	org.apache.commons:commons-compress 1.18 fixed in 1.21	11.9% High Exploitation Risk	Directly Exposed
CVE-2021-35516	HIGH8.62	org.apache.commons:commons-compress 1.18 fixed in 1.21	12.7% High Exploitation Risk	Directly Exposed
CVE-2021-35517	HIGH8.62	org.apache.commons:commons-compress 1.18 fixed in 1.21	10.9% High Exploitation Risk	Directly Exposed
CVE-2021-36090	HIGH8.62	org.apache.commons:commons-compress 1.18 fixed in 1.21	13.3% High Exploitation Risk	Directly Exposed
CVE-2019-10172	HIGH8.62	org.codehaus.jackson:jackson-mapper-asl 1.9.13 No fix yet	17.0% High Exploitation Risk	Directly Exposed
CVE-2021-33813	HIGH8.62	org.jdom:jdom 1.1 No fix yet	19.4% High Exploitation Risk	Directly Exposed
CVE-2017-18640	HIGH8.62	org.yaml:snakeyaml 1.15 fixed in 1.26	26.7% High Exploitation Risk	Directly Exposed
CVE-2026-27727	HIGH8.33	com.mchange:mchange-commons-java 0.2.15 fixed in 0.4.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41409	HIGH8.33	org.apache.mina:mina-core 2.0.7 fixed in 2.0.28, 2.1.11, 2.2.6	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41635	HIGH8.33	org.apache.mina:mina-core 2.0.7 fixed in 2.0.28, 2.1.11, 2.2.6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-66034	HIGH8.33	fonttools 4.38.0 fixed in 4.60.2	0.5% Theoretical Threat	Directly Exposed
CVE-2020-10650	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.3% Low-Moderate Risk	Directly Exposed
CVE-2020-11619	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	3.6% Low-Moderate Risk	Directly Exposed
CVE-2020-11620	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4	5.6% Low-Moderate Risk	Directly Exposed
CVE-2020-14060	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.5	8.5% Low-Moderate Risk	Directly Exposed
CVE-2020-14061	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.5	4.4% Low-Moderate Risk	Directly Exposed
CVE-2020-14062	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.5	8.0% Low-Moderate Risk	Directly Exposed
CVE-2020-14195	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.5	4.5% Low-Moderate Risk	Directly Exposed
CVE-2020-24616	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.6	9.3% Low-Moderate Risk	Directly Exposed
CVE-2020-24750	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.6.7.5, 2.9.10.6	7.3% Low-Moderate Risk	Directly Exposed
CVE-2020-35490	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	7.7% Low-Moderate Risk	Directly Exposed
CVE-2020-35491	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	9.5% Low-Moderate Risk	Directly Exposed
CVE-2020-36180	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	5.0% Low-Moderate Risk	Directly Exposed
CVE-2020-36181	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	5.0% Low-Moderate Risk	Directly Exposed
CVE-2020-36182	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	5.0% Low-Moderate Risk	Directly Exposed
CVE-2020-36183	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	4.9% Low-Moderate Risk	Directly Exposed
CVE-2020-36185	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	5.2% Low-Moderate Risk	Directly Exposed
CVE-2020-36186	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	5.2% Low-Moderate Risk	Directly Exposed
CVE-2020-36187	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8	5.2% Low-Moderate Risk	Directly Exposed
CVE-2020-36189	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.8, 2.6.7.5	4.9% Low-Moderate Risk	Directly Exposed
CVE-2021-20190	HIGH8.1	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.7, 2.6.7.5	7.5% Low-Moderate Risk	Directly Exposed
CVE-2019-7611	HIGH8.1	org.elasticsearch:elasticsearch 2.4.3 fixed in 5.6.15, 6.6.1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-50447	HIGH8.1	Pillow 9.2.0 fixed in 10.2.0	1.7% Low-Moderate Risk	Directly Exposed
CVE-2019-14540	HIGH8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10, 2.8.11.5, 2.6.7.3	10.7% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2020-8840	HIGH8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3	26.6% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2020-9547	HIGH8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4, 2.8.11.6, 2.7.9.7	18.7% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2020-9548	HIGH8	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10.4, 2.8.11.6, 2.7.9.7	18.3% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-14379	HIGH7.84	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.9.2, 2.8.11.4, 2.7.9.6	8.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-16335	HIGH7.84	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10, 2.8.11.5, 2.6.7.3	4.9% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-14892	HIGH7.84	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.6.7.3, 2.8.11.5, 2.9.10	5.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-14893	HIGH7.84	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.10	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-10202	HIGH7.84	org.codehaus.jackson:jackson-mapper-asl 1.9.13 No fix yet	5.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	HIGH7.73	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 11.0.24 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.54.v20240208 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58782	HIGH7.7	org.apache.jackrabbit:jackrabbit-jcr-commons 1.6.5 fixed in 2.22.2	1.3% Low-Moderate Risk	Directly Exposed
CVE-2020-36518	HIGH7.5	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.13.2.1, 2.12.6.1	4.9% Low-Moderate Risk	Directly Exposed
CVE-2022-42003	HIGH7.5	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.12.7.1, 2.13.4.2	2.8% Low-Moderate Risk	Directly Exposed
CVE-2022-42004	HIGH7.5	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.12.7.1, 2.13.4	2.7% Low-Moderate Risk	Directly Exposed
CVE-2024-7254	HIGH7.5	com.google.protobuf:protobuf-java 3.21.7 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly Exposed
CVE-2023-46120	HIGH7.5	com.rabbitmq:amqp-client 5.5.3 fixed in 5.18.0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-3635	HIGH7.5	com.squareup.okio:okio 1.15.0 fixed in 3.4.0, 1.17.6	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-3635	HIGH7.5	com.squareup.okio:okio 1.17.3 fixed in 3.4.0, 1.17.6	1.1% Low-Moderate Risk	Directly Exposed
CVE-2021-37136	HIGH7.5	io.netty:netty 3.10.6.Final fixed in 4.0.0	5.7% Low-Moderate Risk	Directly Exposed
CVE-2021-37137	HIGH7.5	io.netty:netty 3.10.6.Final fixed in 4.0.0	6.3% Low-Moderate Risk	Directly Exposed
CVE-2021-37136	HIGH7.5	io.netty:netty-codec 4.1.51.Final fixed in 4.1.68.Final	5.7% Low-Moderate Risk	Directly Exposed
CVE-2021-37137	HIGH7.5	io.netty:netty-codec 4.1.51.Final fixed in 4.1.68.Final	6.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26464	HIGH7.5	log4j:log4j 1.2.17 fixed in 2.0	1.9% Low-Moderate Risk	Directly Exposed
CVE-2023-39410	HIGH7.5	org.apache.avro:avro 1.11.2 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly Exposed
CVE-2015-3250	HIGH7.5	org.apache.directory.api:api-ldap-model 1.0.0-M20 fixed in 1.0.0-M31	5.1% Low-Moderate Risk	Directly Exposed
CVE-2021-39239	HIGH7.5	org.apache.jena:jena-core 3.12.0 fixed in 4.2.0	4.0% Low-Moderate Risk	Directly Exposed
CVE-2019-0231	HIGH7.5	org.apache.mina:mina-core 2.0.7 fixed in 2.0.21, 2.1.1	2.2% Low-Moderate Risk	Directly Exposed
CVE-2020-13949	HIGH7.5	org.apache.thrift:libthrift 0.13.0 fixed in 0.14.0	6.8% Low-Moderate Risk	Directly Exposed
CVE-2017-7656	HIGH7.5	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.3.24.v20180605, 9.4.11.v20180605	6.4% Low-Moderate Risk	Directly Exposed
CVE-2017-9735	HIGH7.5	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.4.6.v20170531, 9.3.20.v20170531, 9.2.22.v20170606	5.8% Low-Moderate Risk	Directly Exposed
CVE-2023-31418	HIGH7.5	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.17.13, 8.9.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2021-37714	HIGH7.5	org.jsoup:jsoup 1.10.3 fixed in 1.14.2	6.9% Low-Moderate Risk	Directly Exposed
CVE-2021-37714	HIGH7.5	org.jsoup:jsoup 1.11.3 fixed in 1.14.2	6.9% Low-Moderate Risk	Directly Exposed
CVE-2021-37714	HIGH7.5	org.jsoup:jsoup 1.8.1 fixed in 1.14.2	6.9% Low-Moderate Risk	Directly Exposed
CVE-2022-25857	HIGH7.5	org.yaml:snakeyaml 1.15 fixed in 1.31	2.1% Low-Moderate Risk	Directly Exposed
CVE-2022-45199	HIGH7.5	Pillow 9.2.0 fixed in 9.3.0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-44271	HIGH7.5	Pillow 9.2.0 fixed in 10.0.0	1.0% Low-Moderate Risk	Directly Exposed
CVE-2023-45139	HIGH7.5	fonttools 4.38.0 fixed in 4.43.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-3651	HIGH7.5	idna 3.4 fixed in 3.7	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-52804	HIGH7.5	tornado 6.2 fixed in 6.4.2	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.2.1 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-56201	HIGH7.48	Jinja2 3.1.4 fixed in 3.1.5	0.3% Theoretical Threat	Directly Exposed
CVE-2025-27516	HIGH7.48	Jinja2 3.1.4 fixed in 3.1.6	0.5% Theoretical Threat	Directly Exposed
CVE-2024-12797	HIGH7.4	cryptography 42.0.2 fixed in 44.0.1	2.4% Low-Moderate Risk	Directly Exposed
CVE-2023-24816	HIGH7	ipython 7.33.0 fixed in 8.10.0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.51.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.75.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-27830	MEDIUM6.8	com.mchange:c3p0 0.9.5.4 fixed in 0.12.0	0.3% Theoretical Threat	Directly Exposed
CVE-2019-12384	MEDIUM6.79	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.9.1, 2.8.11.4, 2.7.9.6, 2.6.7.3	45.2% High Exploitation Risk	Directly Exposed
CVE-2019-12814	MEDIUM6.79	com.fasterxml.jackson.core:jackson-databind 2.9.8 fixed in 2.9.9.1, 2.8.11.4, 2.7.9.6, 2.6.7.3	11.0% High Exploitation Risk	Directly Exposed
CVE-2016-5725	MEDIUM6.79	com.jcraft:jsch 0.1.53 fixed in 0.1.54	24.1% High Exploitation Risk	Directly Exposed
CVE-2021-21295	MEDIUM6.79	io.netty:netty 3.10.6.Final fixed in 4.0.0	18.9% High Exploitation Risk	Directly Exposed
CVE-2025-54920	MEDIUM6.7	org.apache.spark:spark-core_2.12 3.5.3 fixed in 3.5.7	5.3% Low-Moderate Risk	Directly Exposed
CVE-2020-12668	MEDIUM6.5	com.hubspot.jinjava:jinjava 2.4.0 fixed in 2.5.4	1.8% Low-Moderate Risk	Directly Exposed
CVE-2021-37533	MEDIUM6.5	commons-net:commons-net 3.3 fixed in 3.9.0	1.9% Low-Moderate Risk	Directly Exposed
CVE-2021-43797	MEDIUM6.5	io.netty:netty 3.10.6.Final fixed in 4.0.0	2.7% Low-Moderate Risk	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.51.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.75.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.87.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2021-41973	MEDIUM6.5	org.apache.mina:mina-core 2.0.7 fixed in 2.1.5, 2.0.22	4.3% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.54.v20240208 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2020-7019	MEDIUM6.5	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.9.0, 6.8.12	1.2% Low-Moderate Risk	Directly Exposed
CVE-2021-22144	MEDIUM6.5	org.elasticsearch:elasticsearch 2.4.3 fixed in 6.8.17, 7.13.3	1.7% Low-Moderate Risk	Directly Exposed
CVE-2022-38749	MEDIUM6.5	org.yaml:snakeyaml 1.15 fixed in 1.31	1.6% Low-Moderate Risk	Directly Exposed
CVE-2022-38751	MEDIUM6.5	org.yaml:snakeyaml 1.15 fixed in 1.31	1.5% Low-Moderate Risk	Directly Exposed
CVE-2022-38752	MEDIUM6.5	org.yaml:snakeyaml 1.15 fixed in 1.32	2.0% Low-Moderate Risk	Directly Exposed
CVE-2022-41854	MEDIUM6.5	org.yaml:snakeyaml 1.15 fixed in 1.32	1.5% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.9.8 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2021-0341	MEDIUM6.38	com.squareup.okhttp3:okhttp 3.12.12 fixed in 4.9.2	0.9% Theoretical Threat	Directly Exposed
CVE-2021-0341	MEDIUM6.38	com.squareup.okhttp3:okhttp 3.13.1 fixed in 4.9.2	0.9% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.51.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.75.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.87.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.87.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.87.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.51.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.51.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.75.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.75.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.87.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34479	MEDIUM6.38	org.apache.logging.log4j:log4j-1.2-api 2.20.0 fixed in 2.25.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.17.1 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.20.0 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.80 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.80.2 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2024-23444	MEDIUM6.38	org.elasticsearch:elasticsearch 2.4.3 fixed in 8.13.0, 7.17.23	0.2% Theoretical Threat	Directly Exposed
CVE-2024-43709	MEDIUM6.38	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.17.21, 8.13.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-52979	MEDIUM6.38	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.17.25, 8.16.0	0.5% Theoretical Threat	Directly Exposed
CVE-2024-21634	MEDIUM6.38	software.amazon.ion:ion-java 1.0.2 fixed in 1.10.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-6176	MEDIUM6.38	Brotli 1.0.9 fixed in 1.2.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69534	MEDIUM6.38	Markdown 3.6 fixed in 3.8.1	0.5% Theoretical Threat	Directly Exposed
CVE-2024-26130	MEDIUM6.38	cryptography 42.0.2 fixed in 42.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2023-33953	MEDIUM6.38	grpcio 1.48.1 fixed in 1.53.2, 1.54.3, 1.55.2, 1.56.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0994	MEDIUM6.38	protobuf 4.21.8 fixed in 6.33.5, 5.29.6	0.4% Theoretical Threat	Directly Exposed
CVE-2025-47287	MEDIUM6.38	tornado 6.2 fixed in 6.5	0.6% Theoretical Threat	Directly Exposed
CVE-2026-31958	MEDIUM6.38	tornado 6.2 fixed in 6.5.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-66418	MEDIUM6.38	urllib3 2.1.0 fixed in 2.6.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-66471	MEDIUM6.38	urllib3 2.1.0 fixed in 2.6.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-21441	MEDIUM6.38	urllib3 2.1.0 fixed in 2.6.3	0.5% Theoretical Threat	Directly Exposed
CVE-2025-66418	MEDIUM6.38	urllib3 2.2.1 fixed in 2.6.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-66471	MEDIUM6.38	urllib3 2.2.1 fixed in 2.6.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-21441	MEDIUM6.38	urllib3 2.2.1 fixed in 2.6.3	0.5% Theoretical Threat	Directly Exposed
CVE-2025-12383	MEDIUM6.29	org.glassfish.jersey.core:jersey-client 3.1.9 fixed in 2.46, 3.0.17, 3.1.10	0.3% Theoretical Threat	Directly Exposed
CVE-2021-22573	MEDIUM6.21	com.google.oauth-client:google-oauth-client 1.23.0 fixed in 1.33.3	0.3% Theoretical Threat	Directly Exposed
CVE-2021-22573	MEDIUM6.21	com.google.oauth-client:google-oauth-client 1.30.5 fixed in 1.33.3	0.3% Theoretical Threat	Directly Exposed
CVE-2026-43869	MEDIUM6.21	org.apache.thrift:libthrift 0.13.0 fixed in 0.23.0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-34062	MEDIUM6.21	tqdm 4.65.0 fixed in 4.66.3	0.4% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.54.v20240208 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2019-10241	MEDIUM6.1	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411	9.6% Low-Moderate Risk	Directly Exposed
CVE-2022-36033	MEDIUM6.1	org.jsoup:jsoup 1.10.3 fixed in 1.15.3	1.2% Low-Moderate Risk	Directly Exposed
CVE-2022-36033	MEDIUM6.1	org.jsoup:jsoup 1.11.3 fixed in 1.15.3	1.2% Low-Moderate Risk	Directly Exposed
CVE-2015-6748	MEDIUM6.1	org.jsoup:jsoup 1.8.1 fixed in 1.8.3	2.2% Low-Moderate Risk	Directly Exposed
CVE-2022-36033	MEDIUM6.1	org.jsoup:jsoup 1.8.1 fixed in 1.15.3	1.2% Low-Moderate Risk	Directly Exposed
CVE-2023-28370	MEDIUM6.1	tornado 6.2 fixed in 6.3.2	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 18.0 fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 19.0 fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 20.0 fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 24.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 25.0-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.1-android fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2025-4802	MEDIUM5.95	libc-bin 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18	0.4% Theoretical Threat	Directly Exposed
CVE-2025-4802	MEDIUM5.95	libc6 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18	0.4% Theoretical Threat	Directly Exposed
CVE-2018-10237	MEDIUM5.9	com.google.guava:guava 18.0 fixed in 24.1.1-android	5.1% Low-Moderate Risk	Directly Exposed
CVE-2018-10237	MEDIUM5.9	com.google.guava:guava 19.0 fixed in 24.1.1-android	5.1% Low-Moderate Risk	Directly Exposed
CVE-2018-10237	MEDIUM5.9	com.google.guava:guava 20.0 fixed in 24.1.1-android	5.1% Low-Moderate Risk	Directly Exposed
CVE-2021-21409	MEDIUM5.9	io.netty:netty 3.10.6.Final fixed in 4.0.0	4.9% Low-Moderate Risk	Directly Exposed
CVE-2019-7614	MEDIUM5.9	org.elasticsearch:elasticsearch 2.4.3 fixed in 6.8.2, 7.2.1	1.0% Low-Moderate Risk	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.87.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.80.2 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 11.0.24 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.54.v20240208 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2023-49921	MEDIUM5.52	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.17.16, 8.11.2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-26007	MEDIUM5.52	cryptography 42.0.2 fixed in 46.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2024-37891	MEDIUM5.52	urllib3 2.1.0 fixed in 1.26.19, 2.2.2	1.0% Theoretical Threat	Directly Exposed
CVE-2024-37891	MEDIUM5.52	urllib3 2.2.1 fixed in 1.26.19, 2.2.2	1.0% Theoretical Threat	Directly Exposed
CVE-2021-21290	MEDIUM5.5	io.netty:netty 3.10.6.Final fixed in 4.0.0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2021-27807	MEDIUM5.5	org.apache.pdfbox:pdfbox 2.0.16 fixed in 2.0.23	3.0% Low-Moderate Risk	Directly Exposed
CVE-2021-27906	MEDIUM5.5	org.apache.pdfbox:pdfbox 2.0.16 fixed in 2.0.23	3.3% Low-Moderate Risk	Directly Exposed
CVE-2021-31811	MEDIUM5.5	org.apache.pdfbox:pdfbox 2.0.16 fixed in 2.0.24	3.4% Low-Moderate Risk	Directly Exposed
CVE-2021-31812	MEDIUM5.5	org.apache.pdfbox:pdfbox 2.0.16 fixed in 2.0.24	3.1% Low-Moderate Risk	Directly Exposed
CVE-2024-56326	MEDIUM5.35	Jinja2 3.1.4 fixed in 3.1.5	0.5% Theoretical Threat	Directly Exposed
CVE-2018-18893	MEDIUM5.3	com.hubspot.jinjava:jinjava 2.4.0 fixed in 2.4.6	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.87.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2020-13956	MEDIUM5.3	org.apache.httpcomponents:httpclient 4.5 fixed in 4.5.13, 5.0.3	8.7% Low-Moderate Risk	Directly Exposed
CVE-2019-10247	MEDIUM5.3	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.2.28.v20190418, 9.3.27.v20190418, 9.4.17.v20190418	5.8% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 4.5.4.201711221230-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2021-22135	MEDIUM5.3	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.11.2, 6.8.15	1.2% Low-Moderate Risk	Directly Exposed
CVE-2021-22137	MEDIUM5.3	org.elasticsearch:elasticsearch 2.4.3 fixed in 7.11.2, 6.8.15	1.1% Low-Moderate Risk	Directly Exposed
CVE-2021-33430	MEDIUM5.3	numpy 1.19.5 fixed in 1.21	1.1% Low-Moderate Risk	Directly Exposed
CVE-2021-34141	MEDIUM5.3	numpy 1.19.5 fixed in 1.22	1.6% Low-Moderate Risk	Directly Exposed
CVE-2024-5569	MEDIUM5.27	zipp 3.15.0 fixed in 3.19.1	0.2% Theoretical Threat	Directly Exposed
CVE-2018-3824	MEDIUM5.18	org.elasticsearch:elasticsearch 2.4.3 fixed in 5.6.9, 6.2.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-23528	MEDIUM5.18	distributed 2021.10.0 fixed in 2026.1.0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-50181	MEDIUM5.18	urllib3 2.1.0 fixed in 2.5.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-50181	MEDIUM5.18	urllib3 2.2.1 fixed in 2.5.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-50182	MEDIUM5.18	urllib3 2.2.1 fixed in 2.5.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.17.1 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.20.0 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2024-28219	MEDIUM5.02	Pillow 9.2.0 fixed in 10.3.0	1.0% Theoretical Threat	Directly Exposed
CVE-2020-7021	MEDIUM4.9	org.elasticsearch:elasticsearch 2.4.3 fixed in 6.8.14, 7.10.0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-35195	MEDIUM4.76	requests 2.31.0 fixed in 2.32.0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.51.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.51.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.75.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.75.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.87.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.87.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.18 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2023-42503	MEDIUM4.67	org.apache.commons:commons-compress 1.23.0 fixed in 1.24.0	0.5% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.23.0 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.23.0 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2022-38750	MEDIUM4.67	org.yaml:snakeyaml 1.15 fixed in 1.31	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42308	MEDIUM4.67	Pillow 9.2.0 fixed in 12.2.0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-42310	MEDIUM4.67	Pillow 9.2.0 fixed in 12.2.0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-25645	MEDIUM4.67	requests 2.31.0 fixed in 2.33.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-25645	MEDIUM4.67	requests 2.32.2 fixed in 2.33.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-21883	MEDIUM4.59	bokeh 2.4.3 fixed in 3.8.2	0.2% Theoretical Threat	Directly Exposed
CVE-2019-17571	MEDIUM4.58	log4j:log4j 1.2.17 No fix yet	69.1% Actively Exploited	Post-Exploit
CVE-2022-23305	MEDIUM4.58	log4j:log4j 1.2.17 No fix yet	67.5% Actively Exploited	Post-Exploit
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 11.0.24 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 8.2.0.v20160908 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.54.v20240208 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34073	MEDIUM4.5	cryptography 42.0.2 fixed in 46.0.6	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45409	MEDIUM4.5	idna 3.10 fixed in 3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45409	MEDIUM4.5	idna 3.4 fixed in 3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2025-4565	MEDIUM4.5	protobuf 4.21.8 fixed in 4.25.8, 5.29.5, 6.31.1	0.3% Theoretical Threat	Directly Exposed
CVE-2024-47081	MEDIUM4.5	requests 2.31.0 fixed in 2.32.4	0.8% Theoretical Threat	Directly Exposed
CVE-2024-47081	MEDIUM4.5	requests 2.32.2 fixed in 2.32.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-35536	MEDIUM4.5	tornado 6.2 fixed in 6.5.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44431	MEDIUM4.5	urllib3 2.1.0 fixed in 2.7.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44431	MEDIUM4.5	urllib3 2.2.1 fixed in 2.7.0	0.3% Theoretical Threat	Directly Exposed
CVE-2022-23307	MEDIUM4.12	log4j:log4j 1.2.17 No fix yet	52.5% Actively Exploited	Post-Exploit
CVE-2022-23302	MEDIUM4.12	log4j:log4j 1.2.17 No fix yet	61.8% Actively Exploited	Post-Exploit
CVE-2025-68161	MEDIUM4.08	org.apache.logging.log4j:log4j-core 2.17.1 fixed in 2.25.3	0.7% Theoretical Threat	Directly Exposed
CVE-2025-68161	MEDIUM4.08	org.apache.logging.log4j:log4j-core 2.20.0 fixed in 2.25.3	0.7% Theoretical Threat	Directly Exposed
CVE-2024-52046	MEDIUM4.06	org.apache.mina:mina-core 2.0.7 fixed in 2.2.4, 2.1.10, 2.0.27	23.9% High Exploitation Risk	Post-Exploit
CVE-2019-20445	LOW3.77	io.netty:netty 3.10.6.Final fixed in 4.0.0	13.5% High Exploitation Risk	Post-Exploit
CVE-2025-49128	LOW3.4	com.fasterxml.jackson.core:jackson-core 2.9.8 fixed in 2.13.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.96.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.1.96.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2024-6345	LOW3.17	setuptools 59.8.0 fixed in 70.0.0	1.8% Low-Moderate Risk	Post-Exploit
CVE-2025-47273	LOW3.17	setuptools 59.8.0 fixed in 78.1.1	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-6345	LOW3.17	setuptools 68.2.2 fixed in 70.0.0	1.8% Low-Moderate Risk	Post-Exploit
CVE-2025-47273	LOW3.17	setuptools 68.2.2 fixed in 78.1.1	1.4% Low-Moderate Risk	Post-Exploit
CVE-2021-34428	LOW2.98	org.eclipse.jetty:jetty-server 8.2.0.v20160908 fixed in 9.4.41, 10.0.3, 11.0.3	1.0% Theoretical Threat	Directly Exposed
CVE-2026-6357	LOW2.96	pip 23.3.1 fixed in 26.1	0.1% Theoretical Threat	Post-Exploit
CVE-2026-6357	LOW2.96	pip 24.0 fixed in 26.1	0.1% Theoretical Threat	Post-Exploit
CVE-2026-24049	LOW2.8	wheel 0.41.2 fixed in 0.46.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-24049	LOW2.8	wheel 0.42.0 fixed in 0.46.2	0.3% Theoretical Threat	Post-Exploit
CVE-2020-8908	LOW2.8	com.google.guava:guava 18.0 fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 19.0 fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 20.0 fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 24.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 25.0-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.1-android fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2026-4539	LOW2.8	Pygments 2.17.2 fixed in 2.20.0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8869	LOW2.7	pip 23.3.1 fixed in 25.3	0.4% Theoretical Threat	Post-Exploit
CVE-2025-8869	LOW2.7	pip 24.0 fixed in 25.3	0.4% Theoretical Threat	Post-Exploit
CVE-2020-7020	LOW2.63	org.elasticsearch:elasticsearch 2.4.3 fixed in 6.8.13, 7.9.2	1.0% Theoretical Threat	Directly Exposed
CVE-2026-3219	LOW2.55	pip 23.3.1 fixed in 26.1	0.1% Theoretical Threat	Post-Exploit
CVE-2026-3219	LOW2.55	pip 24.0 fixed in 26.1	0.1% Theoretical Threat	Post-Exploit
CVE-2022-2047	LOW2.29	org.eclipse.jetty:jetty-http 8.2.0.v20160908 fixed in 9.4.47, 10.0.10, 11.0.10	0.9% Theoretical Threat	Directly Exposed
CVE-2022-40897	LOW2.12	setuptools 59.8.0 fixed in 65.5.1	2.6% Low-Moderate Risk	Post-Exploit
CVE-2026-23901	LOW2.12	org.apache.shiro:shiro-core 1.13.0 fixed in 2.1.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-1703	LOW1.99	pip 23.3.1 fixed in 26.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-1703	LOW1.99	pip 24.0 fixed in 26.0	0.4% Theoretical Threat	Post-Exploit
CVE-2025-48924	NONE0	commons-lang:commons-lang 2.6 No fix yet	2.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.18.3 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.9.8 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-25526	NONE0	com.hubspot.jinjava:jinjava 2.4.0 fixed in 2.8.3, 2.7.6	0.9% Theoretical Threat	Not Applicable
CVE-2026-25526	NONE0	com.hubspot.jinjava:jinjava 2.5.4 fixed in 2.8.3, 2.7.6	0.9% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.51.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.75.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.87.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.87.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.10.1 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
GHSA-gj48-438w-jh9v	NONE0	bleach 6.1.0 fixed in 6.4.0	—	Not Applicable
GHSA-8rfp-98v4-mmr6	NONE0	bleach 6.1.0 fixed in 6.4.0	—	Not Applicable
GHSA-537c-gmf6-5ccf	NONE0	cryptography 42.0.2 fixed in 48.0.1	—	Not Applicable
GHSA-h4gh-qq45-vh27	NONE0	cryptography 42.0.2 fixed in 43.0.1	—	Not Applicable
CVE-2026-33310	NONE0	intake 0.7.0 No fix yet	0.4% Theoretical Threat	Not Applicable
CVE-2025-30167	NONE0	jupyter_core 4.11.1 fixed in 5.8.1	0.1% Theoretical Threat	Not Applicable
CVE-2026-49853	NONE0	tornado 6.2 fixed in 6.5.6	—	Not Applicable
CVE-2026-49855	NONE0	tornado 6.2 fixed in 6.5.6	—	Not Applicable
GHSA-753j-mpmx-qq6g	NONE0	tornado 6.2 fixed in 6.4.1	—	Not Applicable
GHSA-78cv-mqj4-43f7	NONE0	tornado 6.2 fixed in 6.5.5	—	Not Applicable
GHSA-pw6j-qg29-8w7f	NONE0	tornado 6.2 fixed in 6.5.7	—	Not Applicable
GHSA-qppv-j76h-2rpx	NONE0	tornado 6.2 fixed in 6.3.3	—	Not Applicable
GHSA-w235-7p84-xx57	NONE0	tornado 6.2 fixed in 6.4.1	—	Not Applicable
CVE-2026-49854	NONE0	tornado 6.2 fixed in 6.5.6	—	Not Applicable