This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via CVE-2026-4800 if Foxx services process untrusted template inputs, or cause denial of service via crafted OpenSSL CMS messages (CVE-2026-28390). The OpenSSL and brace-expansion vulnerabilities are conditional on specific contexts (CMS processing, brace pattern expansion), but the lodash RCE is a direct threat to any JavaScript-driven functionality. Upgrading lodash to 4.18.0 and patching OpenSSL would fully mitigate the most severe issues, but the overall exposure remains unacceptable.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.21 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-28390 | MEDIUM6.38 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-28390 | MEDIUM6.38 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-42306 | MEDIUM6.12 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-28388 | MEDIUM5.1 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.9% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-28388 | MEDIUM5.1 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.9% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-69873 | MEDIUM5.1 | ajv 8.12.0 fixed in 8.18.0, 6.14.0 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-15284 | MEDIUM5.1 | qs 6.11.2 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-2391 | MEDIUM5.1 | qs 6.11.2 fixed in 6.14.2 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-31790 | MEDIUM5.02 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-31790 | MEDIUM5.02 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-6042 | MEDIUM4.67 | musl 1.2.5-r9 fixed in 1.2.5-r10 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-6042 | MEDIUM4.67 | musl-utils 1.2.5-r9 fixed in 1.2.5-r10 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-27171 | MEDIUM4.67 | zlib 1.3.1-r2 fixed in 1.3.2-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-64718 | MEDIUM4.5 | js-yaml 3.14.1 fixed in 4.1.1, 3.14.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41176 | MEDIUM4.06 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.73.5 | 35.4% High Exploitation Risk | Post-Exploit |
| CVE-2025-69725 | MEDIUM4 | github.com/go-chi/chi/v5 v5.2.3 fixed in 5.2.4 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-41179 | LOW3.53 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.73.5 | 7.1% Low-Moderate Risk | Post-Exploit |
| CVE-2024-52522 | LOW3.47 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.68.2 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-41568 | LOW3.31 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-31789 | LOW3 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-31789 | LOW3 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-1229 | LOW3 | github.com/cloudflare/circl v1.6.1 fixed in 1.6.3 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34040 | LOW2.81 | github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1 | 8.1% Low-Moderate Risk | Post-Exploit |
| CVE-2026-33186 | LOW2.78 | google.golang.org/grpc v1.59.0 fixed in 1.79.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-32952 | LOW2.7 | github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1 | 1.0% Low-Moderate Risk | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-28387 | LOW2.48 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-28387 | LOW2.48 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-33997 | LOW2.48 | github.com/docker/docker v28.5.2+incompatible fixed in 29.3.1 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-40200 | LOW2.39 | musl 1.2.5-r9 fixed in 1.2.5-r11 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-40200 | LOW2.39 | musl-utils 1.2.5-r9 fixed in 1.2.5-r11 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22184 | LOW2.39 | zlib 1.3.1-r2 fixed in 1.3.2-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-28389 | LOW2.29 | libcrypto3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-28389 | LOW2.29 | libssl3 3.3.6-r0 fixed in 3.3.7-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-26996 | LOW2.29 | minimatch 3.1.2 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2025-68121 | NONE0 | stdlib v1.24.11 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2025-61726 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2026-25679 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-32280 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-32281 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32283 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-33811 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-33814 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39820 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39836 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2025-61728 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-32282 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32289 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-32288 | NONE0 | stdlib v1.24.11 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-27142 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39826 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2025-61730 | NONE0 | stdlib v1.24.11 fixed in 1.24.12, 1.25.6 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-42507 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-27139 | NONE0 | stdlib v1.24.11 fixed in 1.25.8, 1.26.1 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-48038 | NONE0 | joi 14.3.1 fixed in 18.2.1, 17.13.4 | — | Not Applicable |
| CVE-2026-53550 | NONE0 | js-yaml 3.14.1 fixed in 4.2.0 | — | Not Applicable |
| CVE-2026-8723 | NONE0 | qs 6.11.2 fixed in 6.15.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-41567 | NONE0 | github.com/docker/docker v28.5.2+incompatible No fix yet | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-39823 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39825 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42499 | NONE0 | stdlib v1.24.11 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-42504 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-27145 | NONE0 | stdlib v1.24.11 fixed in 1.25.11, 1.26.4 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-44973 | NONE0 | github.com/go-git/go-billy/v5 v5.5.0 fixed in 5.9.0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-44740 | NONE0 | github.com/go-git/go-billy/v5 v5.5.0 fixed in 5.9.0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-49980 | NONE0 | github.com/rclone/rclone v1.65.2+dirty fixed in 1.74.3 | — | Not Applicable |