Vulnerability Reportdrupal:11.4.4-php8.4-fpm-alpine3.23

drupal:11.4.4-php8.4-fpm-alpine3.23
DIGESTsha256:1ee20fc39b818190abf3899dc2f12e336c45667edfb8d91ccfda6cfe9c82ba7a

Executive Summary

Last scanned:

Threat Score
25/100NEEDS ATTENTION
Reputation
TRUSTED

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The image contains a total of 25 exposed-surface vulnerabilities and 16 post-exploit-only vulnerabilities, but the highest severity is only 6.0 (CVE-2026-33630). This vulnerability is a use-after-free in the c-ares DNS resolver that could allow a denial of service if an attacker can inject crafted DNS responses over the network. The image's official status and high trust score partially offset the risk, but applying updates to c-ares or implementing network-level DNS filtering would further protect the Drupal container.

Vulnerabilities

Vulnerability Log

41 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-33630MEDIUM6
c-ares
1.34.6-r0
fixed in 1.34.8-r0
Directly ExposedContext importance: MEDIUM
CVE-2024-45440MEDIUM4.24
drupal/core
9.8.0
fixed in 10.3.6, 11.0.5, 10.2.9
9.3%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2024-45440MEDIUM4.24
drupal/core-recommended
9.8.0
fixed in 10.3.6, 11.0.5, 10.2.9
9.3%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2026-4873LOW2.7
curl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-6253LOW2.7
curl
8.19.0-r0
fixed in 8.20.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-7009LOW2.7
curl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-7168LOW2.7
curl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-4873LOW2.7
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-6253LOW2.7
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.6%
Theoretical Threat
Post-Exploit
CVE-2026-7009LOW2.7
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-7168LOW2.7
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-5773LOW2.29
curl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-6276LOW2.29
curl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-5773LOW2.29
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-6276LOW2.29
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.3%
Theoretical Threat
Post-Exploit
CVE-2026-5545LOW1.99
curl
8.19.0-r0
fixed in 8.20.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-6429LOW1.99
curl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-5545LOW1.99
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-6429LOW1.99
libcurl
8.19.0-r0
fixed in 8.20.0-r0
0.5%
Theoretical Threat
Post-Exploit
CVE-2026-9082NONE0
drupal/core
9.8.0
fixed in 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10
84.6%
Actively Exploited
Not ApplicableContext importance: HIGH
CVE-2024-55637NONE0
drupal/core
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.8%
Theoretical Threat
Not Applicable
CVE-2024-55638NONE0
drupal/core
9.8.0
fixed in 10.2.11, 10.3.9, 7.102
1.0%
Theoretical Threat
Not Applicable
CVE-2024-12393NONE0
drupal/core
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.3%
Theoretical Threat
Not Applicable
CVE-2024-55634NONE0
drupal/core
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.4%
Theoretical Threat
Not Applicable
CVE-2025-13081NONE0
drupal/core
9.8.0
fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8
0.2%
Theoretical Threat
Not Applicable
CVE-2025-3057NONE0
drupal/core
9.8.0
fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3
0.3%
Theoretical Threat
Not Applicable
CVE-2025-31673NONE0
drupal/core
9.8.0
fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3
0.3%
Theoretical Threat
Not Applicable
CVE-2025-31674NONE0
drupal/core
9.8.0
fixed in 10.3.13, 10.4.3, 11.0.12, 11.1.3
0.5%
Theoretical Threat
Not Applicable
CVE-2026-6365NONE0
drupal/core
9.8.0
fixed in 10.5.9, 10.6.7, 11.2.11, 11.3.7
0.2%
Theoretical Threat
Not Applicable
CVE-2026-6366NONE0
drupal/core
9.8.0
fixed in 10.5.9, 10.6.7, 11.2.11, 11.3.7
0.4%
Theoretical Threat
Not Applicable
GHSA-6ccv-8fgf-cjpwNONE0
drupal/core
9.8.0
fixed in 10.1.8, 10.2.2
Not Applicable
CVE-2024-55636NONE0
drupal/core
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.9%
Theoretical Threat
Not Applicable
CVE-2025-13080NONE0
drupal/core
9.8.0
fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8
0.3%
Theoretical Threat
Not Applicable
CVE-2025-13082NONE0
drupal/core
9.8.0
fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8
0.2%
Theoretical Threat
Not Applicable
CVE-2025-13083NONE0
drupal/core
9.8.0
fixed in 10.4.9, 10.5.6, 11.1.9, 11.2.8, 7.103
0.2%
Theoretical Threat
Not Applicable
CVE-2025-31675NONE0
drupal/core
9.8.0
fixed in 10.3.14, 10.4.5, 11.0.13, 11.1.5
0.5%
Theoretical Threat
Not Applicable
CVE-2024-55637NONE0
drupal/core-recommended
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.8%
Theoretical Threat
Not Applicable
CVE-2024-55638NONE0
drupal/core-recommended
9.8.0
fixed in 10.2.11, 10.3.9, 7.102
1.0%
Theoretical Threat
Not Applicable
CVE-2024-12393NONE0
drupal/core-recommended
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.3%
Theoretical Threat
Not Applicable
CVE-2024-55634NONE0
drupal/core-recommended
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.4%
Theoretical Threat
Not Applicable
CVE-2024-55636NONE0
drupal/core-recommended
9.8.0
fixed in 10.2.11, 10.3.9, 11.0.8
0.9%
Theoretical Threat
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.