Vulnerability Reportapachepulsar/pulsar:4.1.3

apachepulsar/pulsar:4.1.3

DIGESTsha256:ad2d2e5c2c24df743346d253a9bd4872ef5dba5329deac6709c2fdb981bea53b

Executive Summary

Threat ScoreDANGEROUS• Two high-severity request smuggling vulnerabilities in network-facing HTTP components (CVE-2026-42581, CVE-2026-2332) with CVSS scores 8.33 and 7.73, enabling unauthorized data access and cache poisoning.• Image contains 94 exposed vulnerabilities, including 39 with severity ≥6.0 and a maximum severity of 8.33 (CVSS).• The container is an Apache Pulsar image (36M+ pulls) whose HTTP admin API is internet-facing and processes untrusted requests.• Pre-calculated threat score of 88 indicates critical risk.• No compensating controls are available; the image must be updated to patched versions of Netty and Jetty.

88/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (36M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling flaws in the Netty HTTP server (CVE-2026-42581) and Jetty HTTP parser (CVE-2026-2332) to perform cache poisoning, bypass access controls, or gain unauthorized access to data. No compensating controls are available; the image must be updated to patched versions of Netty (>=4.1.133.Final) and Jetty to eliminate these risks.

Vulnerabilities

Vulnerability Log

143 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.58.v20250814 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-1519	MEDIUM6.38	bind-libs 9.20.18-r0 fixed in 9.20.21-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-3039	MEDIUM6.38	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3104	MEDIUM6.38	bind-libs 9.20.18-r0 fixed in 9.20.21-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-5946	MEDIUM6.38	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-6732	MEDIUM6.38	libxml2 2.13.9-r0 fixed in 2.13.9-r1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	nghttp2-libs 1.65.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Directly Exposed
CVE-2025-67721	MEDIUM6.38	io.airlift:aircompressor 0.27 fixed in 2.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44893	MEDIUM6.38	io.netty:netty-codec-haproxy 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-48059	MEDIUM6.38	io.netty:netty-codec-haproxy 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.131.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.131.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.131.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.131.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45292	MEDIUM6.38	io.opentelemetry:opentelemetry-api 1.56.0 fixed in 1.62.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34478	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-34481	MEDIUM6.38	org.apache.logging.log4j:log4j-layout-template-json 2.25.3 fixed in 2.25.4	0.6% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.81 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0994	MEDIUM6.38	protobuf 6.31.1 fixed in 6.33.5, 5.29.6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-24281	MEDIUM6.29	org.apache.zookeeper:zookeeper 3.9.4 fixed in 3.8.6, 3.9.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-43869	MEDIUM6.21	org.apache.thrift:libthrift 0.14.2 fixed in 0.23.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5947	MEDIUM5.9	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-40490	MEDIUM5.78	org.asynchttpclient:async-http-client 2.12.4 fixed in 3.0.9, 2.14.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-3119	MEDIUM5.52	bind-libs 9.20.18-r0 fixed in 9.20.21-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.131.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32776	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-32777	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32778	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r10 fixed in 1.2.5-r11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl-utils 1.2.5-r10 fixed in 1.2.5-r11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3591	MEDIUM4.59	bind-libs 9.20.18-r0 fixed in 9.20.21-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-3592	MEDIUM4.5	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5950	MEDIUM4.5	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	xz-libs 5.8.1-r0 fixed in 5.8.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6860	MEDIUM4.5	io.vertx:vertx-core 4.5.24 fixed in 4.5.27, 5.0.12	0.2% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.58.v20250814 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45674	MEDIUM4.08	io.netty:netty-resolver-dns 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-47691	MEDIUM4.08	io.netty:netty-resolver-dns 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-3104	LOW3.82	bind-tools 9.20.18-r0 fixed in 9.20.21-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-5946	LOW3.82	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW3.82	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW3.77	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42579	LOW3.71	io.netty:netty-codec-dns 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-42584	LOW3.71	io.netty:netty-codec-http 4.1.131.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-5947	LOW3.54	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-3593	LOW3.53	bind-libs 9.20.18-r0 fixed in 9.20.23-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-3593	LOW3.53	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.131.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3119	LOW3.31	bind-tools 9.20.18-r0 fixed in 9.20.21-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-2673	LOW3.31	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3591	LOW2.75	bind-tools 9.20.18-r0 fixed in 9.20.21-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-24308	LOW2.7	org.apache.zookeeper:zookeeper 3.9.4 fixed in 3.9.5, 3.8.6	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-3592	LOW2.7	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5950	LOW2.7	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r10 fixed in 1.2.5-r12	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl-utils 1.2.5-r10 fixed in 1.2.5-r12	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-1519	LOW2.29	bind-tools 9.20.18-r0 fixed in 9.20.21-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-3039	LOW2.29	bind-tools 9.20.18-r0 fixed in 9.20.23-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.17.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.131.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.12.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-45300	NONE0	org.asynchttpclient:async-http-client 2.12.4 fixed in 3.0.10, 2.15.0	0.3% Theoretical Threat	Not Applicable