This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via CVE-2026-4800 if untrusted input reaches lodash template compilation, which is possible given ArangoDB's use of JavaScript for Foxx services. The image contains 28 exposed vulnerabilities, including one critical and four high-severity flaws. Upgrading lodash to version 4.18.0 would eliminate the RCE risk, but until then the container should not be deployed in production.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.21 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-28390 | MEDIUM6.38 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-28390 | MEDIUM6.38 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-42306 | MEDIUM6.12 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-28388 | MEDIUM5.1 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.9% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-28388 | MEDIUM5.1 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.9% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-69873 | MEDIUM5.1 | ajv 8.12.0 fixed in 8.18.0, 6.14.0 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-15284 | MEDIUM5.1 | qs 6.11.2 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-2391 | MEDIUM5.1 | qs 6.11.2 fixed in 6.14.2 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-31790 | MEDIUM5.02 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-31790 | MEDIUM5.02 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-6042 | MEDIUM4.67 | musl 1.2.5-r9 fixed in 1.2.5-r10 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-27171 | MEDIUM4.67 | zlib 1.3.1-r2 fixed in 1.3.2-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-64718 | MEDIUM4.5 | js-yaml 3.14.1 fixed in 4.1.1, 3.14.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41176 | MEDIUM4.06 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.73.5 | 35.4% High Exploitation Risk | Post-Exploit |
| CVE-2025-69725 | MEDIUM4 | github.com/go-chi/chi/v5 v5.2.3 fixed in 5.2.4 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-40200 | LOW3.98 | musl-utils 1.2.5-r9 fixed in 1.2.5-r11 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-41179 | LOW3.53 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.73.5 | 7.1% Low-Moderate Risk | Post-Exploit |
| CVE-2024-52522 | LOW3.47 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.68.2 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-41568 | LOW3.31 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-31789 | LOW3 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-31789 | LOW3 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-1229 | LOW3 | github.com/cloudflare/circl v1.6.1 fixed in 1.6.3 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34040 | LOW2.81 | github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1 | 8.1% Low-Moderate Risk | Post-Exploit |
| CVE-2026-6042 | LOW2.8 | musl-utils 1.2.5-r9 fixed in 1.2.5-r10 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-33186 | LOW2.78 | google.golang.org/grpc v1.59.0 fixed in 1.79.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-32952 | LOW2.7 | github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1 | 1.0% Low-Moderate Risk | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-28387 | LOW2.48 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-28387 | LOW2.48 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-33997 | LOW2.48 | github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-40200 | LOW2.39 | musl 1.2.5-r9 fixed in 1.2.5-r11 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22184 | LOW2.39 | zlib 1.3.1-r2 fixed in 1.3.2-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-28389 | LOW2.29 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-28389 | LOW2.29 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-26996 | LOW2.29 | minimatch 3.1.2 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2025-68121 | NONE0 | stdlib v1.24.11 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2025-61726 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2026-25679 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-32280 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-32281 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32283 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-33811 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-33814 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39820 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39836 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2025-61728 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-32282 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32289 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32288 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-27142 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39826 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2025-61730 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-42507 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-27139 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-48038 | NONE0 | joi 14.3.1 fixed in 18.2.1, 17.13.4 | — | Not Applicable |
| CVE-2026-53550 | NONE0 | js-yaml 3.14.1 fixed in 4.2.0 | — | Not Applicable |
| CVE-2026-8723 | NONE0 | qs 6.11.2 fixed in 6.15.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-41567 | NONE0 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-39823 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39825 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42499 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-42504 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-27145 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-44973 | NONE0 | github.com/go-git/go-billy/v5 v5.5.0 fixed in 5.9.0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-44740 | NONE0 | github.com/go-git/go-billy/v5 v5.5.0 fixed in 5.9.0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-49980 | NONE0 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.74.3 | — | Not Applicable |