Last scanned:
This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The image contains a total of 25 exposed-surface vulnerabilities and 16 post-exploit-only vulnerabilities, but the highest severity is only 6.0 (CVE-2026-33630). This vulnerability is a use-after-free in the c-ares DNS resolver that could allow a denial of service if an attacker can inject crafted DNS responses over the network. The image's official status and high trust score partially offset the risk, but applying updates to c-ares or implementing network-level DNS filtering would further protect the Drupal container.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-33630 | MEDIUM6 | c-ares 1.34.6-r0 fixed in 1.34.8-r0 | — | Directly ExposedContext importance: MEDIUM |
| CVE-2024-45440 | MEDIUM4.24 | drupal/core 9.8.0 fixed in 10.3.6, 11.0.5, 10.2.9 | 9.3% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2024-45440 | MEDIUM4.24 | drupal/core-recommended 9.8.0 fixed in 10.3.6, 11.0.5, 10.2.9 | 9.3% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-4873 | LOW2.7 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6253 | LOW2.7 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-7009 | LOW2.7 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-7168 | LOW2.7 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-4873 | LOW2.7 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-6253 | LOW2.7 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-7009 | LOW2.7 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-7168 | LOW2.7 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-5773 | LOW2.29 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-6276 | LOW2.29 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-5773 | LOW2.29 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-6276 | LOW2.29 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-5545 | LOW1.99 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6429 | LOW1.99 | curl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-5545 | LOW1.99 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6429 | LOW1.99 | libcurl 8.19.0-r0 fixed in 8.20.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-9082 | NONE0 | drupal/core 9.8.0 fixed in 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10 | 84.6% Actively Exploited | Not ApplicableContext importance: HIGH |
| CVE-2024-55637 | NONE0 | drupal/core 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2024-55638 | NONE0 | drupal/core 9.8.0 fixed in 10.2.11, 10.3.9, 7.102 | 1.0% Theoretical Threat | Not Applicable |
| CVE-2024-12393 | NONE0 | drupal/core 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2024-55634 | NONE0 | drupal/core 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2025-13081 | NONE0 | drupal/core 9.8.0 fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2025-3057 | NONE0 | drupal/core 9.8.0 fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2025-31673 | NONE0 | drupal/core 9.8.0 fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2025-31674 | NONE0 | drupal/core 9.8.0 fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-6365 | NONE0 | drupal/core 9.8.0 fixed in 10.5.9, 10.6.7, 11.2.11, 11.3.7 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-6366 | NONE0 | drupal/core 9.8.0 fixed in 10.5.9, 10.6.7, 11.2.11, 11.3.7 | 0.4% Theoretical Threat | Not Applicable |
| GHSA-6ccv-8fgf-cjpw | NONE0 | drupal/core 9.8.0 fixed in 10.1.8, 10.2.2 | — | Not Applicable |
| CVE-2024-55636 | NONE0 | drupal/core 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.9% Theoretical Threat | Not Applicable |
| CVE-2025-13080 | NONE0 | drupal/core 9.8.0 fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2025-13082 | NONE0 | drupal/core 9.8.0 fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2025-13083 | NONE0 | drupal/core 9.8.0 fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8, 7.103 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2025-31675 | NONE0 | drupal/core 9.8.0 fixed in 10.3.14, 10.4.5, 11.0.13, 11.1.5 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2024-55637 | NONE0 | drupal/core-recommended 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.8% Theoretical Threat | Not Applicable |
| CVE-2024-55638 | NONE0 | drupal/core-recommended 9.8.0 fixed in 10.2.11, 10.3.9, 7.102 | 1.0% Theoretical Threat | Not Applicable |
| CVE-2024-12393 | NONE0 | drupal/core-recommended 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2024-55634 | NONE0 | drupal/core-recommended 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2024-55636 | NONE0 | drupal/core-recommended 9.8.0 fixed in 10.2.11, 10.3.9, 11.0.8 | 0.9% Theoretical Threat | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.