Vulnerability Reportapachepulsar/pulsar:4.2.1

apachepulsar/pulsar:4.2.1

DIGESTsha256:951917ef3b285ccbcdb73c5fd75149406be74e89379485b4224df28d7f1cec87

Executive Summary

Threat ScoreCAUTION• 59 exposed vulnerabilities, with a maximum severity of 8.33 (CVE-2026-42581).• 19 vulnerabilities have severity ≥ 6.0, including HTTP request smuggling and DNS cache poisoning.• Key CVEs: CVE-2026-42581 (request smuggling), CVE-2026-45674 (DNS poisoning), CVE-2026-42587 (DoS via decompression bomb).• Trust reputation is reliable (popular community image), but vulnerabilities affect core networking and HTTP handling.• No post-exploit findings, reducing risk after initial compromise.

74/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (36M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit HTTP request smuggling (CVE-2026-42581) to bypass security boundaries, or use DNS cache poisoning (CVE-2026-45674) to redirect traffic. Additionally, denial-of-service attacks via decompression bombs (CVE-2026-42587) are possible. The image is from a popular community source but the vulnerabilities affect core networking components like Netty and bind.

Vulnerabilities

Vulnerability Log

102 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45674	MEDIUM6.8	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-47691	MEDIUM6.8	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5946	MEDIUM6.38	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-6732	MEDIUM6.38	libxml2 2.13.9-r0 fixed in 2.13.9-r1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	nghttp2-libs 1.68.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-48059	MEDIUM6.38	io.netty:netty-codec-haproxy 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45292	MEDIUM6.38	io.opentelemetry:opentelemetry-api 1.56.0 fixed in 1.62.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-43869	MEDIUM6.21	org.apache.thrift:libthrift 0.14.2 fixed in 0.23.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42579	MEDIUM6.18	io.netty:netty-codec-dns 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5947	MEDIUM5.9	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.132.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44893	MEDIUM5.1	io.netty:netty-codec-haproxy 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42578	MEDIUM5.1	io.netty:netty-handler-proxy 4.1.132.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-3592	MEDIUM4.5	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5950	MEDIUM4.5	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	xz-libs 5.8.2-r0 fixed in 5.8.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6860	MEDIUM4.5	io.vertx:vertx-core 4.5.24 fixed in 4.5.27, 5.0.12	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-3593	LOW3.53	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-3593	LOW3.53	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-1965	LOW3.47	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-1965	LOW3.47	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.132.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3784	LOW3.31	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW3.31	curl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW3.31	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW3.31	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	curl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	LOW3.01	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-3783	LOW2.91	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3783	LOW2.91	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3592	LOW2.7	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5950	LOW2.7	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	curl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-3039	LOW2.29	bind-libs 9.20.22-r0 fixed in 9.20.23-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3039	LOW2.29	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-5946	LOW2.29	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-5947	LOW2.12	bind-tools 9.20.22-r0 fixed in 9.20.23-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-14819	LOW2.08	curl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW2.08	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.132.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.12.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-45300	NONE0	org.asynchttpclient:async-http-client 2.14.5 fixed in 3.0.10, 2.15.0	0.3% Theoretical Threat	Not Applicable