Last scanned:
This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling to bypass authentication, execute arbitrary code via Jackson deserialization, or cause a denial of service via HTTP/2 CONTINUATION flood. While the Tika XXE vulnerabilities (e.g., CVE-2025-66516) require the optional Ingest Attachment plugin which is not enabled by default, the Netty and Jackson flaws are exploitable without any special configuration and lead to severe consequences. No compensating controls fully eliminate the risk; immediate remediation is required.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-42581 | HIGH8.33 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2025-66516 | HIGH8 | org.apache.tika:tika-core 2.9.3 fixed in 3.2.2 | 79.8% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2025-66516 | HIGH8 | org.apache.tika:tika-parser-pdf-module 2.9.3 fixed in 3.2.2 | 79.8% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2025-54988 | HIGH7.52 | org.apache.tika:tika-parser-pdf-module 2.9.3 fixed in 3.2.2 | 3.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33871 | HIGH7.5 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.1.132.Final, 4.2.11.Final | 1.1% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2026-54512 | MEDIUM6.88 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 3.1.4, 2.21.4 | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-54513 | MEDIUM6.88 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 2.21.4, 3.1.4 | 0.7% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-45674 | MEDIUM6.8 | io.netty:netty-resolver-dns 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-47691 | MEDIUM6.8 | io.netty:netty-resolver-dns 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42583 | MEDIUM6.38 | io.netty:netty-codec 4.1.118.Final fixed in 4.1.133.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-58057 | MEDIUM6.38 | io.netty:netty-codec 4.1.118.Final fixed in 4.1.125.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-33870 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.1.132.Final, 4.2.10.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-42585 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-58056 | MEDIUM6.38 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.1.125.Final, 4.2.5.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2025-55163 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.2.4.Final, 4.1.124.Final | 1.0% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-48043 | MEDIUM6.38 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.1.135.Final, 4.2.15.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-45416 | MEDIUM6.38 | io.netty:netty-handler 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-50010 | MEDIUM6.38 | io.netty:netty-handler 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42578 | MEDIUM6.38 | io.netty:netty-handler-proxy 4.1.118.Final fixed in 4.1.133.Final, 4.2.13.Final | 1.0% Theoretical Threat | Directly Exposed |
| CVE-2026-45292 | MEDIUM6.38 | io.opentelemetry:opentelemetry-api 1.31.0 fixed in 1.62.0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-34480 | MEDIUM6.38 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-34480 | MEDIUM6.38 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-5588 | MEDIUM6.38 | org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.84 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-66566 | MEDIUM6.38 | org.lz4:lz4-java 1.8.0 No fix yet | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2025-37731 | MEDIUM6.29 | org.elasticsearch:elasticsearch 8.18.1 fixed in 8.19.8, 9.1.8, 9.2.2 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42579 | MEDIUM6.18 | io.netty:netty-codec-dns 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 1.0% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42584 | MEDIUM6.18 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.8% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-4802 | MEDIUM5.95 | libc-bin 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-4802 | MEDIUM5.95 | libc6 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-45673 | MEDIUM5.78 | io.netty:netty-resolver-dns 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-67735 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.8.Final, 4.1.129.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41417 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.1.133.Final, 4.2.13.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42580 | MEDIUM5.52 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-0636 | MEDIUM5.52 | org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-68384 | MEDIUM5.52 | org.elasticsearch.plugin:x-pack-security 8.18.1 fixed in 8.19.9, 9.1.9, 9.2.3 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-12183 | MEDIUM5.52 | org.lz4:lz4-java 1.8.0 fixed in 1.8.1 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-44249 | MEDIUM5.5 | io.netty:netty-handler 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.6% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-22227 | MEDIUM5.18 | io.projectreactor.netty:reactor-netty-http 1.0.45 fixed in 1.3.0-M5, 1.2.8 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-7962 | MEDIUM5.1 | com.sun.mail:jakarta.mail 1.6.3 fixed in 1.6.8, 2.0.2 | 0.8% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-7962 | MEDIUM5.1 | com.sun.mail:jakarta.mail 1.6.4 fixed in 1.6.8, 2.0.2 | 0.8% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-3576 | MEDIUM5.02 | libgssapi-krb5-2 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libk5crypto3 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5-3 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5support0 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-34477 | MEDIUM5.02 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34477 | MEDIUM5.02 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-37727 | MEDIUM4.84 | org.elasticsearch:elasticsearch 8.18.1 fixed in 8.18.8, 8.19.5, 9.0.8, 9.1.5 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-29088 | MEDIUM4.67 | libsqlite3-0 3.31.1-4ubuntu0.6 fixed in 3.31.1-4ubuntu0.7 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54514 | MEDIUM4.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 2.18.8, 2.21.4, 3.1.4 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54515 | MEDIUM4.5 | com.fasterxml.jackson.core:jackson-databind 2.15.0 fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-50020 | MEDIUM4.5 | io.netty:netty-codec-http 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-47244 | MEDIUM4.5 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-50560 | MEDIUM4.5 | io.netty:netty-codec-http2 4.1.118.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-8885 | MEDIUM4.5 | org.bouncycastle:bc-fips 1.0.2.5 fixed in 1.0.2.6, 2.0.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-8916 | MEDIUM4.5 | org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.79 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-68390 | MEDIUM4.17 | org.elasticsearch.plugin:x-pack-core 8.18.1 fixed in 8.19.8, 9.1.8, 9.2.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-68161 | MEDIUM4.08 | org.apache.logging.log4j:log4j-core 2.12.4 fixed in 2.25.3 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2025-68161 | MEDIUM4.08 | org.apache.logging.log4j:log4j-core 2.19.0 fixed in 2.25.3 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2025-48924 | LOW3.7 | org.apache.commons:commons-lang3 3.17.0 fixed in 3.18.0 | 2.2% Low-Moderate Risk | Directly Exposed |
| CVE-2025-48924 | LOW3.7 | org.apache.commons:commons-lang3 3.9 fixed in 3.18.0 | 2.2% Low-Moderate Risk | Directly Exposed |
| CVE-2026-34479 | LOW2.29 | org.apache.logging.log4j:log4j-1.2-api 2.19.0 fixed in 2.25.4 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2025-14813 | LOW2.29 | org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.80.2, 1.81.1, 1.84 | 0.3% Theoretical Threat | Post-Exploit |
| GHSA-72hv-8253-57qq | NONE0 | com.fasterxml.jackson.core:jackson-core 2.15.0 fixed in 2.21.1, 2.18.6 | — | Not Applicable |
| GHSA-72hv-8253-57qq | NONE0 | com.fasterxml.jackson.core:jackson-core 2.17.2 fixed in 2.21.1, 2.18.6 | — | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.