Vulnerability Reportbkimminich/juice-shop:v19.2.0

bkimminich/juice-shop:v19.2.0

DIGESTsha256:6e693a36dcd4da9df4ee57a1ffb1ff1f35aa0e6a44e17380db7adb876af0b9a5

Executive Summary

Threat ScoreDANGEROUS• Image contains 36 vulnerabilities with CVSS severity ≥ 7.0, including remote code execution and authentication bypass.• Critical vm2 sandbox escape vulnerabilities (CVE-2023-32314, CVE-2023-37466) allow full host compromise.• JWT verification bypass (CVE-2015-9235) directly undermines application authentication.• Application is intentionally vulnerable (Juice Shop) and unsuited for production environments.• High community trust does not mitigate the presence of exploitable critical flaws.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (86M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve full remote code execution via vm2 sandbox escapes (CVE-2023-32314, CVE-2023-37466), bypass authentication through JWT verification flaws (CVE-2015-9235), or execute arbitrary code via template injection. The image is a deliberately vulnerable application (Juice Shop) and is not intended for production use. No compensating controls fully eliminate these risks without disabling core application functionality.

Vulnerabilities

Vulnerability Log

178 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2023-32314	CRITICAL10	vm2 3.9.17 fixed in 3.9.18	5.6% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-37466	CRITICAL10	vm2 3.9.17 fixed in 3.10.0	2.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-37903	CRITICAL10	vm2 3.9.17 No fix yet	3.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2026-22709	CRITICAL10	vm2 3.9.17 fixed in 3.10.2	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2026-33937	CRITICAL9.8	handlebars 4.7.7 fixed in 4.7.9	1.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.1.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.4.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2026-4800	CRITICAL9.8	lodash 4.17.23 fixed in 4.18.0	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2019-10744	CRITICAL9.1	lodash 2.4.2 fixed in 4.17.12	5.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2026-26332	HIGH8.5	vm2 3.9.17 fixed in 3.11.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-43997	HIGH8.5	vm2 3.9.17 fixed in 3.11.0	0.7% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44005	HIGH8.5	vm2 3.9.17 fixed in 3.11.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44006	HIGH8.5	vm2 3.9.17 fixed in 3.11.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44007	HIGH8.42	vm2 3.9.17 fixed in 3.11.1	0.8% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-26956	HIGH8.33	vm2 3.9.17 fixed in 3.10.5	0.7% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44008	HIGH8.33	vm2 3.9.17 fixed in 3.11.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44009	HIGH8.33	vm2 3.9.17 fixed in 3.11.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45411	HIGH8.33	vm2 3.9.17 fixed in 3.11.3	0.5% Theoretical Threat	Directly Exposed
CVE-2021-23337	HIGH8.28	lodash 2.4.2 fixed in 4.17.21	22.4% High Exploitation Risk	Directly Exposed
CVE-2026-45447	HIGH8.1	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	1.4% Low-Moderate Risk	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2023-46233	HIGH7.73	crypto-js 3.3.0 fixed in 4.2.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-24118	HIGH7.73	vm2 3.9.17 fixed in 3.11.0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-24120	HIGH7.73	vm2 3.9.17 fixed in 3.10.5	0.7% Theoretical Threat	Directly Exposed
CVE-2018-20796	HIGH7.5	libc6 2.41-12+deb13u1 No fix yet	5.8% Low-Moderate Risk	Directly Exposed
CVE-2019-9192	HIGH7.5	libc6 2.41-12+deb13u1 No fix yet	2.4% Low-Moderate Risk	Directly Exposed
CVE-2024-4068	HIGH7.5	braces 2.3.2 fixed in 3.0.3	1.5% Low-Moderate Risk	Directly Exposed
CVE-2022-25881	HIGH7.5	http-cache-semantics 3.8.1 fixed in 4.1.1	1.6% Low-Moderate Risk	Directly Exposed
CVE-2017-18214	HIGH7.5	moment 2.0.0 fixed in 2.19.3	3.7% Low-Moderate Risk	Directly Exposed
CVE-2022-24785	HIGH7.5	moment 2.0.0 fixed in 2.29.2	5.4% Low-Moderate Risk	Directly Exposed
CVE-2022-25887	HIGH7.5	sanitize-html 1.4.2 fixed in 2.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-32695	HIGH7.5	socket.io-parser 4.0.5 fixed in 4.2.3, 3.4.3, 3.3.4	1.1% Low-Moderate Risk	Directly Exposed
CVE-2020-8203	HIGH7.4	lodash.set 4.3.2 No fix yet	5.2% Low-Moderate Risk	Directly Exposed
CVE-2026-44001	HIGH7.31	vm2 3.9.17 fixed in 3.11.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44004	HIGH7.31	vm2 3.9.17 fixed in 3.11.0	0.3% Theoretical Threat	Directly Exposed
CVE-2020-15084	HIGH7.28	express-jwt 0.1.3 fixed in 6.0.0	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-33941	MEDIUM6.97	handlebars 4.7.7 fixed in 4.7.9	0.3% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33938	MEDIUM6.88	handlebars 4.7.7 fixed in 4.7.9	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33940	MEDIUM6.88	handlebars 4.7.7 fixed in 4.7.9	0.6% Theoretical Threat	Directly Exposed
CVE-2022-23539	MEDIUM6.88	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2022-23539	MEDIUM6.88	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-24781	MEDIUM6.88	vm2 3.9.17 fixed in 3.11.0	1.0% Theoretical Threat	Directly Exposed
CVE-2022-41940	MEDIUM6.5	engine.io 4.1.2 fixed in 3.6.1, 6.2.1	1.9% Low-Moderate Risk	Directly Exposed
CVE-2018-3721	MEDIUM6.5	lodash 2.4.2 fixed in >=4.17.5	2.4% Low-Moderate Risk	Directly Exposed
CVE-2016-4055	MEDIUM6.5	moment 2.0.0 fixed in >=2.11.2	9.9% Low-Moderate Risk	Directly Exposed
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33750	MEDIUM6.38	brace-expansion 1.1.12 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33750	MEDIUM6.38	brace-expansion 2.0.2 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33939	MEDIUM6.38	handlebars 4.7.7 fixed in 4.7.9	0.5% Theoretical Threat	Directly Exposed
CVE-2025-65945	MEDIUM6.38	jws 0.2.6 fixed in 3.2.3, 4.0.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-26996	MEDIUM6.38	minimatch 3.0.5 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-26996	MEDIUM6.38	minimatch 3.0.8 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-2359	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3304	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3520	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-30951	MEDIUM6.38	sequelize 6.37.7 fixed in 6.37.8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33151	MEDIUM6.38	socket.io-parser 4.0.5 fixed in 3.3.5, 3.4.4, 4.2.6	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41907	MEDIUM6.38	uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45736	MEDIUM6.38	ws 8.17.1 fixed in 8.20.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38355	MEDIUM6.21	socket.io 3.1.2 fixed in 2.5.1, 4.6.2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44000	MEDIUM6.12	vm2 3.9.17 fixed in 3.11.0	0.2% Theoretical Threat	Directly Exposed
CVE-2017-16016	MEDIUM6.1	sanitize-html 1.4.2 fixed in 1.11.4	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-37890	MEDIUM5.9	ws 7.4.6 fixed in 5.2.4, 6.2.3, 7.5.10, 8.17.1	1.3% Low-Moderate Risk	Directly Exposed
CVE-2018-16487	MEDIUM5.6	lodash 2.4.2 fixed in >=4.17.11	1.9% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u3	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.41-12+deb13u1 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27904	MEDIUM5.52	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-27904	MEDIUM5.52	minimatch 3.0.8 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	0.5% Theoretical Threat	Directly Exposed
CVE-2021-23771	MEDIUM5.52	notevil 1.3.3 No fix yet	1.0% Theoretical Threat	Directly Exposed
CVE-2026-33671	MEDIUM5.52	picomatch 2.3.1 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33671	MEDIUM5.52	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.1.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.4.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2019-1010024	MEDIUM5.3	libc6 2.41-12+deb13u1 No fix yet	3.2% Low-Moderate Risk	Directly Exposed
CVE-2019-1010025	MEDIUM5.3	libc6 2.41-12+deb13u1 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2022-33987	MEDIUM5.3	got 8.3.2 fixed in 12.1.0, 11.8.5	1.9% Low-Moderate Risk	Directly Exposed
CVE-2024-4067	MEDIUM5.3	micromatch 3.1.10 fixed in 4.0.8	1.4% Low-Moderate Risk	Directly Exposed
CVE-2021-26539	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.1	2.0% Low-Moderate Risk	Directly Exposed
CVE-2021-26540	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.2	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-21501	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.12.1	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-42338	MEDIUM5.18	ip-address 10.1.0 fixed in 10.1.1	0.3% Theoretical Threat	Directly Exposed
CVE-2016-1000237	MEDIUM5.18	sanitize-html 1.4.2 fixed in >=1.4.3	0.8% Theoretical Threat	Directly Exposed
CVE-2019-25225	MEDIUM5.18	sanitize-html 1.4.2 fixed in 2.0.0-beta	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.41-12+deb13u1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27903	MEDIUM5.02	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-27903	MEDIUM5.02	minimatch 3.0.8 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.5-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44002	MEDIUM4.93	vm2 3.9.17 fixed in 3.11.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44003	MEDIUM4.93	vm2 3.9.17 fixed in 3.11.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib1g 1:1.3.dfsg+really1.3.1-1+b1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31808	MEDIUM4.5	file-type 16.5.4 fixed in 21.3.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2950	MEDIUM4.5	lodash 2.4.2 fixed in 4.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2950	MEDIUM4.5	lodash 4.17.23 fixed in 4.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-48997	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.1	0.4% Theoretical Threat	Directly Exposed
CVE-2025-7338	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4867	MEDIUM4.5	path-to-regexp 0.1.12 fixed in 0.1.13	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33672	MEDIUM4.5	picomatch 2.3.1 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33672	MEDIUM4.5	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Directly Exposed
CVE-2023-32313	MEDIUM4.5	vm2 3.9.17 fixed in 3.9.18	0.8% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libc6 2.41-12+deb13u1 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libc6 2.41-12+deb13u1 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33916	MEDIUM4	handlebars 4.7.7 fixed in 4.7.9	0.2% Theoretical Threat	Directly Exposed
CVE-2010-4756	MEDIUM4	libc6 2.41-12+deb13u1 No fix yet	2.6% Low-Moderate Risk	Directly Exposed
CVE-2026-26960	LOW3.62	tar 4.4.19 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-26960	LOW3.62	tar 6.2.1 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010022	LOW3.53	libc6 2.41-12+deb13u1 No fix yet	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-47131	LOW3.48	vm2 3.9.17 fixed in 3.11.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-47137	LOW3.48	vm2 3.9.17 fixed in 3.11.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-47140	LOW3.48	vm2 3.9.17 fixed in 3.11.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.41-12+deb13u1 fixed in 2.41-12+deb13u3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3449	LOW3.4	@tootallnate/once 1.1.2 fixed in 3.0.1, 2.0.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-3449	LOW3.4	@tootallnate/once 2.0.0 fixed in 3.0.1, 2.0.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-29786	LOW3.21	tar 4.4.19 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29786	LOW3.21	tar 6.2.1 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010023	LOW3.17	libc6 2.41-12+deb13u1 No fix yet	3.1% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libssl3t64 3.5.4-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47764	LOW3.15	cookie 0.4.2 fixed in 0.7.0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-23745	LOW3.11	tar 4.4.19 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23745	LOW3.11	tar 6.2.1 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 4.4.19 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 6.2.1 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 7.5.10 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-24842	LOW2.51	tar 4.4.19 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2026-24842	LOW2.51	tar 6.2.1 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2024-28863	LOW1.99	tar 4.4.19 fixed in 6.2.1	0.9% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 4.4.19 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 6.2.1 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
NSWG-ECO-428	NONE0	base64url 0.0.6 fixed in >=3.0.0	—	Not Applicable
GHSA-rvg8-pwq2-xj7q	NONE0	base64url 0.0.6 fixed in 3.0.0	—	Not Applicable
GHSA-7rx3-28cr-v5wh	NONE0	handlebars 4.7.7 fixed in 4.7.9	—	Not Applicable
GHSA-442j-39wm-28r2	NONE0	handlebars 4.7.7 fixed in 4.7.9	—	Not Applicable
CVE-2026-53550	NONE0	js-yaml 3.14.2 fixed in 4.2.0	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.1.0 fixed in >=4.2.2	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.4.0 fixed in >=4.2.2	—	Not Applicable
CVE-2016-1000223	NONE0	jws 0.2.6 fixed in >=3.0.0	—	Not Applicable
GHSA-5mrr-rgp6-x4gr	NONE0	marsdb 0.6.11 No fix yet	—	Not Applicable
CVE-2025-57349	NONE0	messageformat 2.3.0 fixed in 3.0.0-beta.0	0.4% Theoretical Threat	Not Applicable
CVE-2025-47935	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2025-47944	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2026-5079	NONE0	multer 1.4.5-lts.2 fixed in 2.2.0, 3.0.0-alpha.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-8723	NONE0	qs 6.14.2 fixed in 6.15.2	0.3% Theoretical Threat	Not Applicable
NSWG-ECO-154	NONE0	sanitize-html 1.4.2 fixed in >=1.11.4	—	Not Applicable
CVE-2026-53655	NONE0	tar 4.4.19 fixed in 7.5.16	—	Not Applicable
CVE-2026-53655	NONE0	tar 6.2.1 fixed in 7.5.16	—	Not Applicable
CVE-2026-53655	NONE0	tar 7.5.10 fixed in 7.5.16	—	Not Applicable
CVE-2026-47208	NONE0	vm2 3.9.17 fixed in 3.11.4	0.9% Theoretical Threat	Not Applicable
CVE-2026-47210	NONE0	vm2 3.9.17 fixed in 3.11.4	0.9% Theoretical Threat	Not Applicable
CVE-2026-47135	NONE0	vm2 3.9.17 fixed in 3.11.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-47139	NONE0	vm2 3.9.17 fixed in 3.11.4	0.5% Theoretical Threat	Not Applicable
CVE-2026-47209	NONE0	vm2 3.9.17 fixed in 3.11.4	0.5% Theoretical Threat	Not Applicable
CVE-2026-47141	NONE0	vm2 3.9.17 fixed in 3.11.4	0.5% Theoretical Threat	Not Applicable
GHSA-2cm2-m3w5-gp2f	NONE0	vm2 3.9.17 fixed in 3.11.2	—	Not Applicable
GHSA-q3fm-4wcw-g57x	NONE0	vm2 3.9.17 fixed in 3.11.4	—	Not Applicable
CVE-2026-48779	NONE0	ws 7.4.6 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable
CVE-2026-48779	NONE0	ws 8.17.1 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable