Vulnerability Reportbkimminich/juice-shop:v19.1.0

bkimminich/juice-shop:v19.1.0
DIGESTsha256:985a12d0640d758e3dd5788ad8cbe99a23cf8514071c1a3a743232553fd26025

Executive Summary

Threat Score
100/100DANGEROUS
Reputation
RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker can achieve full remote code execution on the host via multiple vm2 sandbox escapes (e.g., CVE-2023-32314), bypass authentication using algorithm confusion in jsonwebtoken (CVE-2015-9235), and exploit SSRF through the ip package (CVE-2024-29415) to access internal networks. No simple external mitigation exists; the vulnerable packages (especially vm2) are integral to the application's functionality. Note that CVE-2015-9235 and CVE-2020-15084 require the absence of explicit JWT algorithm configuration, which is the default in this image.

Vulnerabilities

Vulnerability Log

206 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2023-32314CRITICAL10
vm2
3.9.17
fixed in 3.9.18
5.6%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2023-37466CRITICAL10
vm2
3.9.17
fixed in 3.10.0
2.3%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2023-37903CRITICAL10
vm2
3.9.17
No fix yet
3.3%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-22709CRITICAL10
vm2
3.9.17
fixed in 3.10.2
1.2%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2024-29415CRITICAL9.8
ip
2.0.1
No fix yet
8.3%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2015-9235CRITICAL9.8
jsonwebtoken
0.1.0
fixed in 4.2.2
7.2%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2015-9235CRITICAL9.8
jsonwebtoken
0.4.0
fixed in 4.2.2
7.2%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2020-15084CRITICAL9.1
express-jwt
0.1.3
fixed in 6.0.0
1.1%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2019-10744CRITICAL9.1
lodash
2.4.2
fixed in 4.17.12
5.0%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-26332HIGH8.5
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-43997HIGH8.5
vm2
3.9.17
fixed in 3.11.0
0.7%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-44005HIGH8.5
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-44006HIGH8.5
vm2
3.9.17
fixed in 3.11.0
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-44007HIGH8.42
vm2
3.9.17
fixed in 3.11.1
0.8%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-31789HIGH8.33
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-27837HIGH8.33
dottie
2.0.6
fixed in 2.0.7
0.3%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-26956HIGH8.33
vm2
3.9.17
fixed in 3.10.5
0.7%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-44008HIGH8.33
vm2
3.9.17
fixed in 3.11.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-44009HIGH8.33
vm2
3.9.17
fixed in 3.11.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-45411HIGH8.33
vm2
3.9.17
fixed in 3.11.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2021-23337HIGH8.28
lodash
2.4.2
fixed in 4.17.21
22.4%
High Exploitation Risk
Directly Exposed
CVE-2026-45447HIGH8.1
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2026-33937HIGH7.84
handlebars
4.7.7
fixed in 4.7.9
1.3%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2026-4800HIGH7.84
lodash
4.17.21
fixed in 4.18.0
1.0%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2026-45445HIGH7.73
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2023-46233HIGH7.73
crypto-js
3.3.0
fixed in 4.2.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-24118HIGH7.73
vm2
3.9.17
fixed in 3.11.0
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-24120HIGH7.73
vm2
3.9.17
fixed in 3.10.5
0.7%
Theoretical Threat
Directly Exposed
CVE-2018-20796HIGH7.5
libc6
2.36-9+deb12u13
No fix yet
5.8%
Low-Moderate Risk
Directly Exposed
CVE-2019-9192HIGH7.5
libc6
2.36-9+deb12u13
No fix yet
2.4%
Low-Moderate Risk
Directly Exposed
CVE-2024-4068HIGH7.5
braces
2.3.2
fixed in 3.0.3
1.5%
Low-Moderate Risk
Directly Exposed
CVE-2025-64756HIGH7.5
glob
10.4.5
fixed in 11.1.0, 10.5.0
3.0%
Low-Moderate Risk
Directly Exposed
CVE-2022-25881HIGH7.5
http-cache-semantics
3.8.1
fixed in 4.1.1
1.6%
Low-Moderate Risk
Directly Exposed
CVE-2017-18214HIGH7.5
moment
2.0.0
fixed in 2.19.3
3.7%
Low-Moderate Risk
Directly Exposed
CVE-2022-24785HIGH7.5
moment
2.0.0
fixed in 2.29.2
5.4%
Low-Moderate Risk
Directly Exposed
CVE-2022-25887HIGH7.5
sanitize-html
1.4.2
fixed in 2.7.1
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2023-32695HIGH7.5
socket.io-parser
4.0.5
fixed in 4.2.3, 3.4.3, 3.3.4
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2020-8203HIGH7.4
lodash.set
4.3.2
No fix yet
5.2%
Low-Moderate Risk
Directly Exposed
CVE-2026-44001HIGH7.31
vm2
3.9.17
fixed in 3.11.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-44004HIGH7.31
vm2
3.9.17
fixed in 3.11.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-33941MEDIUM6.97
handlebars
4.7.7
fixed in 4.7.9
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-0861MEDIUM6.88
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-28387MEDIUM6.88
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33938MEDIUM6.88
handlebars
4.7.7
fixed in 4.7.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33940MEDIUM6.88
handlebars
4.7.7
fixed in 4.7.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2022-23539MEDIUM6.88
jsonwebtoken
0.1.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2022-23539MEDIUM6.88
jsonwebtoken
0.4.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-24781MEDIUM6.88
vm2
3.9.17
fixed in 3.11.0
1.0%
Theoretical Threat
Directly Exposed
CVE-2022-41940MEDIUM6.5
engine.io
4.1.2
fixed in 3.6.1, 6.2.1
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2018-3721MEDIUM6.5
lodash
2.4.2
fixed in >=4.17.5
2.4%
Low-Moderate Risk
Directly Exposed
CVE-2016-4055MEDIUM6.5
moment
2.0.0
fixed in >=2.11.2
9.9%
Low-Moderate Risk
Directly Exposed
CVE-2022-23540MEDIUM6.46
jsonwebtoken
0.1.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2022-23540MEDIUM6.46
jsonwebtoken
0.4.0
fixed in 9.0.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-69421MEDIUM6.38
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-28388MEDIUM6.38
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-28389MEDIUM6.38
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-28390MEDIUM6.38
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-33750MEDIUM6.38
brace-expansion
1.1.12
fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33750MEDIUM6.38
brace-expansion
2.0.2
fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-24001MEDIUM6.38
diff
4.0.2
fixed in 8.0.3, 5.2.2, 4.0.4, 3.5.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33939MEDIUM6.38
handlebars
4.7.7
fixed in 4.7.9
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-65945MEDIUM6.38
jws
0.2.6
fixed in 3.2.3, 4.0.1
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.0.5
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.0.8
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
3.1.2
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
5.1.6
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-26996MEDIUM6.38
minimatch
9.0.5
fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-2359MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-3304MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.0
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-3520MEDIUM6.38
multer
1.4.5-lts.2
fixed in 2.1.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-15284MEDIUM6.38
qs
6.13.0
fixed in 6.14.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-2391MEDIUM6.38
qs
6.13.0
fixed in 6.14.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-30951MEDIUM6.38
sequelize
6.37.7
fixed in 6.37.8
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33151MEDIUM6.38
socket.io-parser
4.0.5
fixed in 3.3.5, 3.4.4, 4.2.6
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-41907MEDIUM6.38
uuid
8.3.2
fixed in 11.1.1, 12.0.1, 13.0.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-45736MEDIUM6.38
ws
8.17.1
fixed in 8.20.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-69419MEDIUM6.29
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34182MEDIUM6.29
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2024-38355MEDIUM6.21
socket.io
3.1.2
fixed in 2.5.1, 4.6.2
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-44000MEDIUM6.12
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2017-16016MEDIUM6.1
sanitize-html
1.4.2
fixed in 1.11.4
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2024-37890MEDIUM5.9
ws
7.4.6
fixed in 5.2.4, 6.2.3, 7.5.10, 8.17.1
1.3%
Low-Moderate Risk
Directly Exposed
CVE-2018-16487MEDIUM5.6
lodash
2.4.2
fixed in >=4.17.11
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2026-4437MEDIUM5.52
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-6238MEDIUM5.52
libc6
2.36-9+deb12u13
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.0.8
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
3.1.2
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
5.1.6
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27904MEDIUM5.52
minimatch
9.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2021-23771MEDIUM5.52
notevil
1.3.3
No fix yet
1.0%
Theoretical Threat
Directly Exposed
CVE-2026-33671MEDIUM5.52
picomatch
2.3.1
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33671MEDIUM5.52
picomatch
4.0.3
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2022-23541MEDIUM5.35
jsonwebtoken
0.1.0
fixed in 9.0.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2022-23541MEDIUM5.35
jsonwebtoken
0.4.0
fixed in 9.0.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2019-1010024MEDIUM5.3
libc6
2.36-9+deb12u13
No fix yet
3.2%
Low-Moderate Risk
Directly Exposed
CVE-2019-1010025MEDIUM5.3
libc6
2.36-9+deb12u13
No fix yet
2.3%
Low-Moderate Risk
Directly Exposed
CVE-2022-33987MEDIUM5.3
got
8.3.2
fixed in 12.1.0, 11.8.5
1.9%
Low-Moderate Risk
Directly Exposed
CVE-2024-4067MEDIUM5.3
micromatch
3.1.10
fixed in 4.0.8
1.4%
Low-Moderate Risk
Directly Exposed
CVE-2021-26539MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.3.1
2.0%
Low-Moderate Risk
Directly Exposed
CVE-2021-26540MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.3.2
1.8%
Low-Moderate Risk
Directly Exposed
CVE-2024-21501MEDIUM5.3
sanitize-html
1.4.2
fixed in 2.12.1
1.0%
Low-Moderate Risk
Directly Exposed
CVE-2026-42338MEDIUM5.18
ip-address
10.1.0
fixed in 10.1.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2016-1000237MEDIUM5.18
sanitize-html
1.4.2
fixed in >=1.4.3
0.8%
Theoretical Threat
Directly Exposed
CVE-2019-25225MEDIUM5.18
sanitize-html
1.4.2
fixed in 2.0.0-beta
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-5435MEDIUM5.02
libc6
2.36-9+deb12u13
No fix yet
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-15281MEDIUM5.02
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-31790MEDIUM5.02
libssl3
3.0.17-1~deb12u3
fixed in 3.0.19-1~deb12u2
1.0%
Theoretical Threat
Directly Exposed
CVE-2025-69420MEDIUM5.02
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-22796MEDIUM5.02
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-42770MEDIUM5.02
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-9076MEDIUM5.02
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.0.8
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
3.1.2
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
5.1.6
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-27903MEDIUM5.02
minimatch
9.0.5
fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-44002MEDIUM4.93
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-44003MEDIUM4.93
vm2
3.9.17
fixed in 3.11.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
gcc-12-base
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libgcc-s1
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libgomp1
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-22795MEDIUM4.67
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-7383MEDIUM4.67
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.3%
Theoretical Threat
Directly Exposed
CVE-2022-27943MEDIUM4.67
libstdc++6
12.2.0-14+deb12u1
No fix yet
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-0915MEDIUM4.5
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-4046MEDIUM4.5
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-42766MEDIUM4.5
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42767MEDIUM4.5
libssl3
3.0.17-1~deb12u3
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-31808MEDIUM4.5
file-type
16.5.4
fixed in 21.3.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-64718MEDIUM4.5
js-yaml
3.14.1
fixed in 4.1.1, 3.14.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-2950MEDIUM4.5
lodash
2.4.2
fixed in 4.18.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-13465MEDIUM4.5
lodash
4.17.21
fixed in 4.17.23
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-2950MEDIUM4.5
lodash
4.17.21
fixed in 4.18.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-48997MEDIUM4.5
multer
1.4.5-lts.2
fixed in 2.0.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-7338MEDIUM4.5
multer
1.4.5-lts.2
fixed in 2.0.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-4867MEDIUM4.5
path-to-regexp
0.1.12
fixed in 0.1.13
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33672MEDIUM4.5
picomatch
2.3.1
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33672MEDIUM4.5
picomatch
4.0.3
fixed in 4.0.4, 3.0.2, 2.3.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2023-32313MEDIUM4.5
vm2
3.9.17
fixed in 3.9.18
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-5450MEDIUM4.25
libc6
2.36-9+deb12u13
No fix yet
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-5928MEDIUM4.25
libc6
2.36-9+deb12u13
No fix yet
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-34180MEDIUM4.25
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-15467MEDIUM4.06
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
48.7%
High Exploitation Risk
Post-Exploit
CVE-2025-68160MEDIUM4
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33916MEDIUM4
handlebars
4.7.7
fixed in 4.7.9
0.2%
Theoretical Threat
Directly Exposed
CVE-2010-4756MEDIUM4
libc6
2.36-9+deb12u13
No fix yet
2.6%
Low-Moderate Risk
Directly Exposed
CVE-2026-26960LOW3.62
tar
4.4.19
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-26960LOW3.62
tar
6.2.1
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-26960LOW3.62
tar
7.5.2
fixed in 7.5.8
0.3%
Theoretical Threat
Post-Exploit
CVE-2019-1010022LOW3.53
libc6
2.36-9+deb12u13
No fix yet
3.2%
Low-Moderate Risk
Post-Exploit
CVE-2026-47131LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-47137LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-47140LOW3.48
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-4438LOW3.4
libc6
2.36-9+deb12u13
fixed in 2.36-9+deb12u14
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-69418LOW3.4
libssl3
3.0.17-1~deb12u3
fixed in 3.0.18-1~deb12u2
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-3449LOW3.4
@tootallnate/once
1.1.2
fixed in 3.0.1, 2.0.1
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-3449LOW3.4
@tootallnate/once
2.0.0
fixed in 3.0.1, 2.0.1
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-29786LOW3.21
tar
4.4.19
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-29786LOW3.21
tar
6.2.1
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-29786LOW3.21
tar
7.5.2
fixed in 7.5.10
0.3%
Theoretical Threat
Post-Exploit
CVE-2019-1010023LOW3.17
libc6
2.36-9+deb12u13
No fix yet
3.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-45446LOW3.15
libssl3
3.0.17-1~deb12u3
fixed in 3.0.20-1~deb12u2
0.2%
Theoretical Threat
Directly Exposed
CVE-2024-47764LOW3.15
cookie
0.4.2
fixed in 0.7.0
0.7%
Theoretical Threat
Directly Exposed
CVE-2026-23745LOW3.11
tar
4.4.19
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-23745LOW3.11
tar
6.2.1
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-23745LOW3.11
tar
7.5.2
fixed in 7.5.3
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-31802LOW2.8
tar
4.4.19
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-31802LOW2.8
tar
6.2.1
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-31802LOW2.8
tar
7.5.2
fixed in 7.5.11
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
4.4.19
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
6.2.1
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-24842LOW2.51
tar
7.5.2
fixed in 7.5.7
0.5%
Theoretical Threat
Post-Exploit
CVE-2024-28863LOW1.99
tar
4.4.19
fixed in 6.2.1
0.9%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
4.4.19
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
6.2.1
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2026-23950LOW1.81
tar
7.5.2
fixed in 7.5.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2025-27587NONE0
libssl3
3.0.17-1~deb12u3
No fix yet
0.4%
Theoretical Threat
Not Applicable
NSWG-ECO-428NONE0
base64url
0.0.6
fixed in >=3.0.0
Not Applicable
GHSA-rvg8-pwq2-xj7qNONE0
base64url
0.0.6
fixed in 3.0.0
Not Applicable
GHSA-7rx3-28cr-v5whNONE0
handlebars
4.7.7
fixed in 4.7.9
Not Applicable
GHSA-442j-39wm-28r2NONE0
handlebars
4.7.7
fixed in 4.7.9
Not Applicable
CVE-2026-53550NONE0
js-yaml
3.14.1
fixed in 4.2.0
Not Applicable
NSWG-ECO-17NONE0
jsonwebtoken
0.1.0
fixed in >=4.2.2
Not Applicable
NSWG-ECO-17NONE0
jsonwebtoken
0.4.0
fixed in >=4.2.2
Not Applicable
CVE-2016-1000223NONE0
jws
0.2.6
fixed in >=3.0.0
Not Applicable
GHSA-5mrr-rgp6-x4grNONE0
marsdb
0.6.11
No fix yet
Not Applicable
CVE-2025-57349NONE0
messageformat
2.3.0
fixed in 3.0.0-beta.0
0.4%
Theoretical Threat
Not Applicable
CVE-2025-47935NONE0
multer
1.4.5-lts.2
fixed in 2.0.0
0.7%
Theoretical Threat
Not Applicable
CVE-2025-47944NONE0
multer
1.4.5-lts.2
fixed in 2.0.0
0.7%
Theoretical Threat
Not Applicable
CVE-2026-5079NONE0
multer
1.4.5-lts.2
fixed in 2.2.0, 3.0.0-alpha.2
0.3%
Theoretical Threat
Not Applicable
CVE-2026-8723NONE0
qs
6.13.0
fixed in 6.15.2
0.3%
Theoretical Threat
Not Applicable
NSWG-ECO-154NONE0
sanitize-html
1.4.2
fixed in >=1.11.4
Not Applicable
CVE-2026-53655NONE0
tar
4.4.19
fixed in 7.5.16
Not Applicable
CVE-2026-53655NONE0
tar
6.2.1
fixed in 7.5.16
Not Applicable
CVE-2026-53655NONE0
tar
7.5.2
fixed in 7.5.16
Not Applicable
CVE-2026-47208NONE0
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Not Applicable
CVE-2026-47210NONE0
vm2
3.9.17
fixed in 3.11.4
0.9%
Theoretical Threat
Not Applicable
CVE-2026-47135NONE0
vm2
3.9.17
fixed in 3.11.4
0.4%
Theoretical Threat
Not Applicable
CVE-2026-47139NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
CVE-2026-47209NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
CVE-2026-47141NONE0
vm2
3.9.17
fixed in 3.11.4
0.5%
Theoretical Threat
Not Applicable
GHSA-2cm2-m3w5-gp2fNONE0
vm2
3.9.17
fixed in 3.11.2
Not Applicable
GHSA-q3fm-4wcw-g57xNONE0
vm2
3.9.17
fixed in 3.11.4
Not Applicable
CVE-2026-48779NONE0
ws
7.4.6
fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0
Not Applicable
CVE-2026-48779NONE0
ws
8.17.1
fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0
Not Applicable