Last scanned:
This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit CVE-2025-66516 (Apache Tika XXE) to exfiltrate sensitive data or perform internal reconnaissance via malicious PDFs, and leverage CVE-2026-42581 (Netty request smuggling) to bypass security controls or poison caches. Disabling the ingest attachment plugin would fully eliminate the Tika vulnerabilities, but Netty flaws require urgent patching. Immediate remediation is required before any production use.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-66516 | CRITICAL10 | org.apache.tika:tika-core 2.9.2 fixed in 3.2.2 | 79.8% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2025-66516 | CRITICAL10 | org.apache.tika:tika-parser-pdf-module 2.9.2 fixed in 3.2.2 | 79.8% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2025-54988 | CRITICAL9.4 | org.apache.tika:tika-parser-pdf-module 2.9.2 fixed in 3.2.2 | 3.0% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2026-42581 | HIGH8.33 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-33871 | HIGH7.5 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.1.132.Final, 4.2.11.Final | 1.1% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2025-24970 | HIGH7.5 | io.netty:netty-handler 4.1.115.Final fixed in 4.1.118.Final | 2.1% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2025-7962 | MEDIUM6.38 | com.sun.mail:jakarta.mail 1.6.3 fixed in 1.6.8, 2.0.2 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2025-7962 | MEDIUM6.38 | com.sun.mail:jakarta.mail 1.6.4 fixed in 1.6.8, 2.0.2 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-42583 | MEDIUM6.38 | io.netty:netty-codec 4.1.115.Final fixed in 4.1.133.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-58057 | MEDIUM6.38 | io.netty:netty-codec 4.1.115.Final fixed in 4.1.125.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-33870 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.1.132.Final, 4.2.10.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-42585 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-58056 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.1.125.Final, 4.2.5.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-55163 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.2.4.Final, 4.1.124.Final | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-48043 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.1.135.Final, 4.2.15.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-45416 | MEDIUM6.38 | io.netty:netty-handler 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-50010 | MEDIUM6.38 | io.netty:netty-handler 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42578 | MEDIUM6.38 | io.netty:netty-handler-proxy 4.1.115.Final fixed in 4.1.133.Final, 4.2.13.Final | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-45292 | MEDIUM6.38 | io.opentelemetry:opentelemetry-api 1.31.0 fixed in 1.62.0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-34479 | MEDIUM6.38 | org.apache.logging.log4j:log4j-1.2-api 2.19.0 fixed in 2.25.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-34480 | MEDIUM6.38 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-34480 | MEDIUM6.38 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-5588 | MEDIUM6.38 | org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.84 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-66566 | MEDIUM6.38 | org.lz4:lz4-java 1.8.0 No fix yet | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-37731 | MEDIUM6.29 | org.elasticsearch:elasticsearch 8.16.2 fixed in 8.19.8, 9.1.8, 9.2.2 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-4802 | MEDIUM5.95 | libc-bin 2.31-0ubuntu9.16 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-4802 | MEDIUM5.95 | libc6 2.31-0ubuntu9.16 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-26461 | MEDIUM5.9 | libgssapi-krb5-2 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-26461 | MEDIUM5.9 | libk5crypto3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-26461 | MEDIUM5.9 | libkrb5-3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-26461 | MEDIUM5.9 | libkrb5support0 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2026-45673 | MEDIUM5.78 | io.netty:netty-resolver-dns 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-24528 | MEDIUM5.52 | libgssapi-krb5-2 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-24528 | MEDIUM5.52 | libk5crypto3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-24528 | MEDIUM5.52 | libkrb5-3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-24528 | MEDIUM5.52 | libkrb5support0 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-67735 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.8.Final, 4.1.129.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41417 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.1.133.Final, 4.2.13.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42580 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-0636 | MEDIUM5.52 | org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-68384 | MEDIUM5.52 | org.elasticsearch.plugin:x-pack-security 8.16.2 fixed in 8.19.9, 9.1.9, 9.2.3 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-12183 | MEDIUM5.52 | org.lz4:lz4-java 1.8.0 fixed in 1.8.1 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-54512 | MEDIUM5.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 3.1.4, 2.21.4 | 0.6% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-54513 | MEDIUM5.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 2.21.4, 3.1.4 | 0.7% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-44249 | MEDIUM5.5 | io.netty:netty-handler 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2024-12243 | MEDIUM5.3 | libgnutls30 3.6.13-2ubuntu1.11 fixed in 3.6.13-2ubuntu1.12 | 1.2% Low-Moderate Risk | Directly Exposed |
| CVE-2024-12133 | MEDIUM5.3 | libtasn1-6 4.16.0-2 fixed in 4.16.0-2ubuntu0.1 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-29857 | MEDIUM5.2 | org.bouncycastle:bc-fips 1.0.2.4 fixed in 1.0.2.5 | 1.1% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2025-22227 | MEDIUM5.18 | io.projectreactor.netty:reactor-netty-http 1.0.45 fixed in 1.3.0-M5, 1.2.8 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libgssapi-krb5-2 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-26458 | MEDIUM5.02 | libgssapi-krb5-2 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libk5crypto3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-26458 | MEDIUM5.02 | libk5crypto3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5-3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-26458 | MEDIUM5.02 | libkrb5-3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5support0 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-26458 | MEDIUM5.02 | libkrb5support0 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.9 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-34477 | MEDIUM5.02 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34477 | MEDIUM5.02 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-53864 | MEDIUM4.93 | com.nimbusds:nimbus-jose-jwt 9.37.3 fixed in 10.0.2, 9.37.4 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2025-37727 | MEDIUM4.84 | org.elasticsearch:elasticsearch 8.16.2 fixed in 8.18.8, 8.19.5, 9.0.8, 9.1.5 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-0395 | MEDIUM4.67 | libc-bin 2.31-0ubuntu9.16 fixed in 2.31-0ubuntu9.17 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-0395 | MEDIUM4.67 | libc6 2.31-0ubuntu9.16 fixed in 2.31-0ubuntu9.17 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-29088 | MEDIUM4.67 | libsqlite3-0 3.31.1-4ubuntu0.6 fixed in 3.31.1-4ubuntu0.7 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-25193 | MEDIUM4.67 | io.netty:netty-common 4.1.115.Final fixed in 4.1.118.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-54514 | MEDIUM4.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 2.21.4, 3.1.4 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54515 | MEDIUM4.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-50020 | MEDIUM4.5 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-47244 | MEDIUM4.5 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-50560 | MEDIUM4.5 | io.netty:netty-codec-http2 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-8885 | MEDIUM4.5 | org.bouncycastle:bc-fips 1.0.2.4 fixed in 1.0.2.6, 2.0.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-8916 | MEDIUM4.5 | org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.79 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-31672 | MEDIUM4.4 | org.apache.poi:poi-ooxml 5.2.5 fixed in 5.4.0 | 1.3% Low-Moderate Risk | Directly Exposed |
| CVE-2025-68390 | MEDIUM4.17 | org.elasticsearch.plugin:x-pack-core 8.16.2 fixed in 8.19.8, 9.1.8, 9.2.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-68161 | MEDIUM4.08 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.3 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2025-68161 | MEDIUM4.08 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.3 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-13176 | MEDIUM4 | libssl1.1 1.1.1f-1ubuntu2.23 fixed in 1.1.1f-1ubuntu2.24 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-3596 | LOW3.73 | libgssapi-krb5-2 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.8 | 14.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-3596 | LOW3.73 | libk5crypto3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.8 | 14.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-3596 | LOW3.73 | libkrb5-3 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.8 | 14.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-3596 | LOW3.73 | libkrb5support0 1.17-6ubuntu4.7 fixed in 1.17-6ubuntu4.8 | 14.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-9143 | LOW3.7 | libssl1.1 1.1.1f-1ubuntu2.23 fixed in 1.1.1f-1ubuntu2.24 | 6.0% Low-Moderate Risk | Directly Exposed |
| CVE-2025-48924 | LOW3.7 | org.apache.commons:commons-lang3 3.14.0 fixed in 3.18.0 | 2.2% Low-Moderate Risk | Directly Exposed |
| CVE-2025-48924 | LOW3.7 | org.apache.commons:commons-lang3 3.9 fixed in 3.18.0 | 2.2% Low-Moderate Risk | Directly Exposed |
| CVE-2026-45674 | LOW3.06 | io.netty:netty-resolver-dns 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-47691 | LOW3.06 | io.netty:netty-resolver-dns 4.1.115.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-42579 | LOW2.78 | io.netty:netty-codec-dns 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 1.0% Theoretical Threat | Post-Exploit |
| CVE-2026-42584 | LOW2.78 | io.netty:netty-codec-http 4.1.115.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2025-30258 | LOW2.4 | gpgv 2.2.19-3ubuntu2.2 fixed in 2.2.19-3ubuntu2.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2024-13176 | LOW2.4 | openssl 1.1.1f-1ubuntu2.23 fixed in 1.1.1f-1ubuntu2.24 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2024-57699 | LOW2.29 | net.minidev:json-smart 2.5.0 fixed in 2.5.2 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2024-57699 | LOW2.29 | net.minidev:json-smart 2.5.1 fixed in 2.5.2 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2025-14813 | LOW2.29 | org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.80.2, 1.81.1, 1.84 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2024-9143 | LOW2.22 | openssl 1.1.1f-1ubuntu2.23 fixed in 1.1.1f-1ubuntu2.24 | 6.0% Low-Moderate Risk | Post-Exploit |
| GHSA-72hv-8253-57qq | NONE0 | com.fasterxml.jackson.core:jackson-core 2.15.0 fixed in 2.21.1, 2.18.6 | — | Not Applicable |
| GHSA-72hv-8253-57qq | NONE0 | com.fasterxml.jackson.core:jackson-core 2.17.2 fixed in 2.21.1, 2.18.6 | — | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.