Vulnerability Reportbkimminich/juice-shop:v18.0.0

bkimminich/juice-shop:v18.0.0
DIGESTsha256:491566e56179a3c81697a35e2b5adede6fa4445db511c15bf4c637c1e9c19c6b

Executive Summary

Threat Score
100/100DANGEROUS
Reputation
RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could bypass authentication to gain unauthorized access to sensitive data, execute arbitrary code on the host via sandbox escapes or command injection, and disrupt service availability. Key vulnerabilities include CVE-2015-9235 and CVE-2020-15084, which allow authentication bypass, and CVE-2021-23337 enabling remote code execution. Note that CVE-2026-31789 only affects 32-bit platforms, but the majority of critical findings are universally exploitable and require no special configuration. No compensating controls fully mitigate the top risks.

Vulnerabilities

Vulnerability Log

214 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2015-9235CRITICAL9.8
jsonwebtoken
0.1.0
fixed in 4.2.2
7.2%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2015-9235CRITICAL9.8
jsonwebtoken
0.4.0
fixed in 4.2.2
7.2%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2020-15084CRITICAL9.1
express-jwt
0.1.3
fixed in 6.0.0
1.1%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2019-10744CRITICAL9.1
lodash
2.4.2
fixed in 4.17.12
5.0%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-31789HIGH8.33
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-44008HIGH8.33
vm2
3.9.17
fixed in 3.11.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-44009HIGH8.33
vm2
3.9.17
fixed in 3.11.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-45411HIGH8.33
vm2
3.9.17
fixed in 3.11.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2021-23337HIGH8.28
lodash
2.4.2
fixed in 4.17.21
22.4%
High Exploitation Risk
Directly Exposed
CVE-2026-45447HIGH8.1
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2024-29415HIGH7.84
ip
2.0.1
No fix yet
8.3%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2026-45445HIGH7.73
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2023-46233HIGH7.73
crypto-js
3.3.0
fixed in 4.2.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-24118HIGH7.73
vm2
3.9.17
fixed in 3.11.0
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-24120HIGH7.73
vm2
3.9.17
fixed in 3.10.5
0.7%
Theoretical Threat
Directly Exposed
CVE-2018-20796HIGH7.5
libc6
2.36-9+deb12u10
No fix yet
5.8%
Low-Moderate Risk
Directly Exposed
CVE-2019-9192HIGH7.5
libc6
2.36-9+deb12u10
No fix yet
2.4%
Low-Moderate Risk
Directly Exposed
CVE-2024-4068HIGH7.5
braces
2.3.2
fixed in 3.0.3
1.5%
Low-Moderate Risk
Directly Exposed
CVE-2025-64756HIGH7.5
glob
10.4.5
fixed in 11.1.0, 10.5.0
3.0%
Low-Moderate Risk
Directly Exposed
CVE-2022-25881HIGH7.5
http-cache-semantics
3.8.1
fixed in 4.1.1
1.6%
Low-Moderate Risk
Directly Exposed
CVE-2017-18214HIGH7.5
moment
2.0.0
fixed in 2.19.3
3.7%
Low-Moderate Risk
Directly Exposed
CVE-2022-24785HIGH7.5
moment
2.0.0
fixed in 2.29.2
5.4%
Low-Moderate Risk
Directly Exposed
CVE-2022-25887HIGH7.5
sanitize-html
1.4.2
fixed in 2.7.1
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2023-32695HIGH7.5
socket.io-parser
4.0.5
fixed in 4.2.3, 3.4.3, 3.3.4
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2020-8203HIGH7.4
lodash.set
4.3.2
No fix yet
5.2%
Low-Moderate Risk
Directly Exposed
CVE-2026-44001HIGH7.31
vm2
3.9.17
fixed in 3.11.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-44004HIGH7.31
vm2
3.9.17
fixed in 3.11.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-33941MEDIUM6.97
handlebars
4.7.7
fixed in 4.7.9
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-0861MEDIUM6.88
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-28387MEDIUM6.88
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33938MEDIUM6.88
handlebars
4.7.7
fixed in 4.7.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33940MEDIUM6.88
handlebars
4.7.7
fixed in 4.7.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2022-23539MEDIUM6.88
jsonwebtoken
0.1.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2022-23539MEDIUM6.88
jsonwebtoken
0.4.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-24781MEDIUM6.88
vm2
3.9.17
fixed in 3.11.0
1.0%
Theoretical Threat
Directly Exposed
CVE-2026-27837MEDIUM6.66
dottie
2.0.6
fixed in 2.0.7
0.3%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2022-41940MEDIUM6.5
engine.io
4.1.2
fixed in 3.6.1, 6.2.1
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2018-3721MEDIUM6.5
lodash
2.4.2
fixed in >=4.17.5
2.4%
Low-Moderate Risk
Directly Exposed
CVE-2016-4055MEDIUM6.5
moment
2.0.0
fixed in >=2.11.2
9.9%
Low-Moderate Risk
Directly Exposed
CVE-2022-23540MEDIUM6.46
jsonwebtoken
0.1.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2022-23540MEDIUM6.46
jsonwebtoken
0.4.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-69421MEDIUM6.38
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-28388MEDIUM6.38
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-28389MEDIUM6.38
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-28390MEDIUM6.38
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-33750MEDIUM6.38
brace-expansion
1.1.12
fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33750MEDIUM6.38
brace-expansion
2.0.2
fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-24001MEDIUM6.38
diff
4.0.2
fixed in 8.0.3, 5.2.2, 4.0.4, 3.5.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33939MEDIUM6.38
handlebars
4.7.7
fixed in 4.7.9
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-65945MEDIUM6.38
jws
0.2.6
fixed in 3.2.3, 4.0.1
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.0.5
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.0.8
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.1.2
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
5.1.6
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
9.0.5
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-2359MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-3304MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-3520MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-15284MEDIUM6.38
qs
6.13.0
fixed in 6.14.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-2391MEDIUM6.38
qs
6.13.0
fixed in 6.14.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-30951MEDIUM6.38
sequelize
6.37.7
fixed in 6.37.8
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33151MEDIUM6.38
socket.io-parser
4.0.5
fixed in 3.3.5, 3.4.4, 4.2.6
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-59343MEDIUM6.38
tar-fs
2.1.3
fixed in 3.1.1, 2.1.4, 1.16.6
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-41907MEDIUM6.38
uuid
8.3.2
fixed in 11.1.1, 12.0.1, 13.0.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-45736MEDIUM6.38
ws
8.17.1
fixed in 8.20.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-69419MEDIUM6.29
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34182MEDIUM6.29
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2024-38355MEDIUM6.21
socket.io
3.1.2
fixed in 2.5.1, 4.6.2
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-44000MEDIUM6.12
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2017-16016MEDIUM6.1
sanitize-html
1.4.2
fixed in 1.11.4
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2025-15467MEDIUM6
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
48.7%
High Exploitation Risk
Directly Exposed
CVE-2025-4802MEDIUM5.95
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u11
0.4%
Theoretical Threat
Directly Exposed
CVE-2024-37890MEDIUM5.9
ws
7.4.6
fixed in 5.2.4, 6.2.3, 7.5.10, 8.17.1
1.3%
Low-Moderate Risk
Directly Exposed
CVE-2025-9230MEDIUM5.6
libssl3
3.0.16-1~deb12u1
fixed in 3.0.17-1~deb12u3
1.8%
Low-Moderate Risk
Directly Exposed
CVE-2018-16487MEDIUM5.6
lodash
2.4.2
fixed in >=4.17.11
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2026-4437MEDIUM5.52
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-6238MEDIUM5.52
libc6
2.36-9+deb12u10
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.0.8
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.1.2
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
5.1.6
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
9.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2021-23771MEDIUM5.52
notevil
1.3.3
No fix yet
1.0%
Theoretical Threat
Directly Exposed
CVE-2026-33671MEDIUM5.52
picomatch
2.3.1
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33671MEDIUM5.52
picomatch
4.0.2
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2022-23541MEDIUM5.35
jsonwebtoken
0.1.0
fixed in 9.0.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2022-23541MEDIUM5.35
jsonwebtoken
0.4.0
fixed in 9.0.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2019-1010024MEDIUM5.3
libc6
2.36-9+deb12u10
No fix yet
3.2%
Low-Moderate Risk
Directly Exposed
CVE-2019-1010025MEDIUM5.3
libc6
2.36-9+deb12u10
No fix yet
2.3%
Low-Moderate Risk
Directly Exposed
CVE-2022-33987MEDIUM5.3
got
8.3.2
fixed in 12.1.0, 11.8.5
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2024-4067MEDIUM5.3
micromatch
3.1.10
fixed in 4.0.8
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2021-26539MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.3.1
2.0%
Low-Moderate Risk
Directly Exposed
CVE-2021-26540MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.3.2
1.8%
Low-Moderate Risk
Directly Exposed
CVE-2024-21501MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.12.1
1.0%
Low-Moderate Risk
Directly Exposed
CVE-2026-42338MEDIUM5.18
ip-address
9.0.5
fixed in 10.1.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2016-1000237MEDIUM5.18
sanitize-html
1.4.2
fixed in >=1.4.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2019-25225MEDIUM5.18
sanitize-html
1.4.2
fixed in 2.0.0-beta
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-5435MEDIUM5.02
libc6
2.36-9+deb12u10
No fix yet
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-15281MEDIUM5.02
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-31790MEDIUM5.02
libssl3
3.0.16-1~deb12u1
fixed in 3.0.19-1~deb12u2
1.0%
Theoretical Threat
Directly Exposed
CVE-2025-69420MEDIUM5.02
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-22796MEDIUM5.02
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-42770MEDIUM5.02
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-9076MEDIUM5.02
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.0.8
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.1.2
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
5.1.6
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
9.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-44002MEDIUM4.93
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-44003MEDIUM4.93
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
gcc-12-base
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libgcc-s1
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libgomp1
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-22795MEDIUM4.67
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-7383MEDIUM4.67
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libstdc++6
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-0915MEDIUM4.5
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-4046MEDIUM4.5
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42766MEDIUM4.5
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42767MEDIUM4.5
libssl3
3.0.16-1~deb12u1
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-31808MEDIUM4.5
file-type
16.5.4
fixed in 21.3.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-64718MEDIUM4.5
js-yaml
3.14.1
fixed in 4.1.1, 3.14.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-2950MEDIUM4.5
lodash
2.4.2
fixed in 4.18.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-13465MEDIUM4.5
lodash
4.17.21
fixed in 4.17.23
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-2950MEDIUM4.5
lodash
4.17.21
fixed in 4.18.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-48997MEDIUM4.5
multer
1.4.5-lts.2
fixed in 2.0.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-7338MEDIUM4.5
multer
1.4.5-lts.2
fixed in 2.0.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-4867MEDIUM4.5
path-to-regexp
0.1.12
fixed in 0.1.13
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33672MEDIUM4.5
picomatch
2.3.1
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33672MEDIUM4.5
picomatch
4.0.2
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2023-32313MEDIUM4.5
vm2
3.9.17
fixed in 3.9.18
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-5450MEDIUM4.25
libc6
2.36-9+deb12u10
No fix yet
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-5928MEDIUM4.25
libc6
2.36-9+deb12u10
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-34180MEDIUM4.25
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-68160MEDIUM4
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33916MEDIUM4
handlebars
4.7.7
fixed in 4.7.9
0.2%
Theoretical Threat
Directly Exposed
CVE-2010-4756MEDIUM4
libc6
2.36-9+deb12u10
No fix yet
2.6%
Low-Moderate Risk
Directly Exposed
CVE-2026-26960LOW3.62
tar
4.4.19
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-26960LOW3.62
tar
6.2.1
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-26960LOW3.62
tar
7.4.3
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2023-32314LOW3.6
vm2
3.9.17
fixed in 3.9.18
5.6%
Low-Moderate Risk
Post-Exploit
CVE-2023-37466LOW3.6
vm2
3.9.17
fixed in 3.10.0
2.3%
Low-Moderate Risk
Post-Exploit
CVE-2023-37903LOW3.6
vm2
3.9.17
No fix yet
3.3%
Low-Moderate Risk
Post-Exploit
CVE-2026-22709LOW3.6
vm2
3.9.17
fixed in 3.10.2
1.2%
Low-Moderate Risk
Post-Exploit
CVE-2025-8058LOW3.57
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u13
0.2%
Theoretical Threat
Directly Exposed
CVE-2019-1010022LOW3.53
libc6
2.36-9+deb12u10
No fix yet
3.2%
Low-Moderate Risk
Post-Exploit
CVE-2026-33937LOW3.53
handlebars
4.7.7
fixed in 4.7.9
1.3%
Low-Moderate Risk
Post-Exploit
CVE-2026-4800LOW3.53
lodash
4.17.21
fixed in 4.18.0
1.0%
Low-Moderate Risk
Post-Exploit
CVE-2026-47131LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-47137LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-47140LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-4438LOW3.4
libc6
2.36-9+deb12u10
fixed in 2.36-9+deb12u14
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-69418LOW3.4
libssl3
3.0.16-1~deb12u1
fixed in 3.0.18-1~deb12u2
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-3449LOW3.4
@tootallnate/once
1.1.2
fixed in 3.0.1, 2.0.1
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-3449LOW3.4
@tootallnate/once
2.0.0
fixed in 3.0.1, 2.0.1
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-29786LOW3.21
tar
4.4.19
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-29786LOW3.21
tar
6.2.1
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-29786LOW3.21
tar
7.4.3
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2019-1010023LOW3.17
libc6
2.36-9+deb12u10
No fix yet
3.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-45446LOW3.15
libssl3
3.0.16-1~deb12u1
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2024-47764LOW3.15
cookie
0.4.2
fixed in 0.7.0
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-23745LOW3.11
tar
4.4.19
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-23745LOW3.11
tar
6.2.1
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-23745LOW3.11
tar
7.4.3
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2025-9232LOW3.1
libssl3
3.0.16-1~deb12u1
fixed in 3.0.17-1~deb12u3
2.0%
Low-Moderate Risk
Directly Exposed
CVE-2026-26332LOW3.06
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-43997LOW3.06
vm2
3.9.17
fixed in 3.11.0
0.7%
Theoretical Threat
Post-Exploit
CVE-2026-44005LOW3.06
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-44006LOW3.06
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-44007LOW3.03
vm2
3.9.17
fixed in 3.11.1
0.8%
Theoretical Threat
Post-Exploit
CVE-2026-26956LOW3
vm2
3.9.17
fixed in 3.10.5
0.7%
Theoretical Threat
Post-Exploit
CVE-2025-7339LOW2.89
on-headers
1.0.2
fixed in 1.1.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-31802LOW2.8
tar
4.4.19
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-31802LOW2.8
tar
6.2.1
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-31802LOW2.8
tar
7.4.3
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
4.4.19
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
6.2.1
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
7.4.3
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2024-28863LOW1.99
tar
4.4.19
fixed in 6.2.1
0.9%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
4.4.19
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
6.2.1
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
7.4.3
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2025-27587NONE0
libssl3
3.0.16-1~deb12u1
No fix yet
0.4%
Theoretical Threat
Not Applicable
NSWG-ECO-428NONE0
base64url
0.0.6
fixed in >=3.0.0
Not Applicable
GHSA-rvg8-pwq2-xj7qNONE0
base64url
0.0.6
fixed in 3.0.0
Not Applicable
GHSA-7rx3-28cr-v5whNONE0
handlebars
4.7.7
fixed in 4.7.9
Not Applicable
GHSA-442j-39wm-28r2NONE0
handlebars
4.7.7
fixed in 4.7.9
Not Applicable
CVE-2026-53550NONE0
js-yaml
3.14.1
fixed in 4.2.0
Not Applicable
NSWG-ECO-17NONE0
jsonwebtoken
0.1.0
fixed in >=4.2.2
Not Applicable
NSWG-ECO-17NONE0
jsonwebtoken
0.4.0
fixed in >=4.2.2
Not Applicable
CVE-2016-1000223NONE0
jws
0.2.6
fixed in >=3.0.0
Not Applicable
GHSA-5mrr-rgp6-x4grNONE0
marsdb
0.6.11
No fix yet
Not Applicable
CVE-2025-57349NONE0
messageformat
2.3.0
fixed in 3.0.0-beta.0
0.4%
Theoretical Threat
Not Applicable
CVE-2025-47935NONE0
multer
1.4.5-lts.2
fixed in 2.0.0
0.7%
Theoretical Threat
Not Applicable
CVE-2025-47944NONE0
multer
1.4.5-lts.2
fixed in 2.0.0
0.7%
Theoretical Threat
Not Applicable
CVE-2026-5079NONE0
multer
1.4.5-lts.2
fixed in 2.2.0, 3.0.0-alpha.2
0.3%
Theoretical Threat
Not Applicable
CVE-2026-8723NONE0
qs
6.13.0
fixed in 6.15.2
0.3%
Theoretical Threat
Not Applicable
NSWG-ECO-154NONE0
sanitize-html
1.4.2
fixed in >=1.11.4
Not Applicable
CVE-2026-53655NONE0
tar
4.4.19
fixed in 7.5.16
Not Applicable
CVE-2026-53655NONE0
tar
6.2.1
fixed in 7.5.16
Not Applicable
CVE-2026-53655NONE0
tar
7.4.3
fixed in 7.5.16
Not Applicable
CVE-2025-12758NONE0
validator
13.15.15
fixed in 13.15.22
0.4%
Theoretical Threat
Not Applicable
CVE-2025-56200NONE0
validator
13.15.15
fixed in 13.15.20
0.3%
Theoretical Threat
Not Applicable
CVE-2026-47208NONE0
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Not Applicable
CVE-2026-47210NONE0
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Not Applicable
CVE-2026-47135NONE0
vm2
3.9.17
fixed in 3.11.4
0.4%
Theoretical Threat
Not Applicable
CVE-2026-47139NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
CVE-2026-47209NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
CVE-2026-47141NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
GHSA-2cm2-m3w5-gp2fNONE0
vm2
3.9.17
fixed in 3.11.2
Not Applicable
GHSA-q3fm-4wcw-g57xNONE0
vm2
3.9.17
fixed in 3.11.4
Not Applicable
CVE-2026-48779NONE0
ws
7.4.6
fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0
Not Applicable
CVE-2026-48779NONE0
ws
8.17.1
fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0
Not Applicable