Vulnerability Reportelasticsearch:8.18.1

elasticsearch:8.18.1
DIGESTsha256:5823091e62c231e68301ff68d9643e023e82e749d343737c1fc26457505dca1c

Executive Summary

Last scanned:

Threat Score
100/100DANGEROUS
Reputation
TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling to bypass authentication, execute arbitrary code via Jackson deserialization, or cause a denial of service via HTTP/2 CONTINUATION flood. While the Tika XXE vulnerabilities (e.g., CVE-2025-66516) require the optional Ingest Attachment plugin which is not enabled by default, the Netty and Jackson flaws are exploitable without any special configuration and lead to severe consequences. No compensating controls fully eliminate the risk; immediate remediation is required.

Vulnerabilities

Vulnerability Log

66 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-42581HIGH8.33
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2025-66516HIGH8
org.apache.tika:tika-core
2.9.3
fixed in 3.2.2
79.8%
Actively Exploited
Directly ExposedContext importance: MEDIUM
CVE-2025-66516HIGH8
org.apache.tika:tika-parser-pdf-module
2.9.3
fixed in 3.2.2
79.8%
Actively Exploited
Directly ExposedContext importance: MEDIUM
CVE-2025-54988HIGH7.52
org.apache.tika:tika-parser-pdf-module
2.9.3
fixed in 3.2.2
3.0%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2026-33871HIGH7.5
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.1.132.Final, 4.2.11.Final
1.1%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-54512MEDIUM6.88
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 3.1.4, 2.21.4
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-54513MEDIUM6.88
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 2.21.4, 3.1.4
0.7%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-45674MEDIUM6.8
io.netty:netty-resolver-dns
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-47691MEDIUM6.8
io.netty:netty-resolver-dns
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42583MEDIUM6.38
io.netty:netty-codec
4.1.118.Final
fixed in 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58057MEDIUM6.38
io.netty:netty-codec
4.1.118.Final
fixed in 4.1.125.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-33870MEDIUM6.38
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.1.132.Final, 4.2.10.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-42585MEDIUM6.38
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-58056MEDIUM6.38
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.1.125.Final, 4.2.5.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2025-55163MEDIUM6.38
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.2.4.Final, 4.1.124.Final
1.0%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-48043MEDIUM6.38
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.1.135.Final, 4.2.15.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-45416MEDIUM6.38
io.netty:netty-handler
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-50010MEDIUM6.38
io.netty:netty-handler
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42578MEDIUM6.38
io.netty:netty-handler-proxy
4.1.118.Final
fixed in 4.1.133.Final, 4.2.13.Final
1.0%
Theoretical Threat
Directly Exposed
CVE-2026-45292MEDIUM6.38
io.opentelemetry:opentelemetry-api
1.31.0
fixed in 1.62.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-34480MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-34480MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-5588MEDIUM6.38
org.bouncycastle:bcpkix-jdk18on
1.78.1
fixed in 1.84
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-66566MEDIUM6.38
org.lz4:lz4-java
1.8.0
No fix yet
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2025-37731MEDIUM6.29
org.elasticsearch:elasticsearch
8.18.1
fixed in 8.19.8, 9.1.8, 9.2.2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42579MEDIUM6.18
io.netty:netty-codec-dns
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
1.0%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42584MEDIUM6.18
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-4802MEDIUM5.95
libc-bin
2.31-0ubuntu9.17
fixed in 2.31-0ubuntu9.18
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-4802MEDIUM5.95
libc6
2.31-0ubuntu9.17
fixed in 2.31-0ubuntu9.18
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-45673MEDIUM5.78
io.netty:netty-resolver-dns
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-67735MEDIUM5.52
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.8.Final, 4.1.129.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-41417MEDIUM5.52
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42580MEDIUM5.52
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-0636MEDIUM5.52
org.bouncycastle:bcprov-jdk18on
1.78.1
fixed in 1.84
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-68384MEDIUM5.52
org.elasticsearch.plugin:x-pack-security
8.18.1
fixed in 8.19.9, 9.1.9, 9.2.3
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-12183MEDIUM5.52
org.lz4:lz4-java
1.8.0
fixed in 1.8.1
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-44249MEDIUM5.5
io.netty:netty-handler
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-22227MEDIUM5.18
io.projectreactor.netty:reactor-netty-http
1.0.45
fixed in 1.3.0-M5, 1.2.8
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-7962MEDIUM5.1
com.sun.mail:jakarta.mail
1.6.3
fixed in 1.6.8, 2.0.2
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-7962MEDIUM5.1
com.sun.mail:jakarta.mail
1.6.4
fixed in 1.6.8, 2.0.2
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-3576MEDIUM5.02
libgssapi-krb5-2
1.17-6ubuntu4.9
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libk5crypto3
1.17-6ubuntu4.9
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libkrb5-3
1.17-6ubuntu4.9
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libkrb5support0
1.17-6ubuntu4.9
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-34477MEDIUM5.02
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34477MEDIUM5.02
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-37727MEDIUM4.84
org.elasticsearch:elasticsearch
8.18.1
fixed in 8.18.8, 8.19.5, 9.0.8, 9.1.5
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-29088MEDIUM4.67
libsqlite3-0
3.31.1-4ubuntu0.6
fixed in 3.31.1-4ubuntu0.7
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-54514MEDIUM4.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 2.21.4, 3.1.4
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-54515MEDIUM4.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-50020MEDIUM4.5
io.netty:netty-codec-http
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-47244MEDIUM4.5
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-50560MEDIUM4.5
io.netty:netty-codec-http2
4.1.118.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-8885MEDIUM4.5
org.bouncycastle:bc-fips
1.0.2.5
fixed in 1.0.2.6, 2.0.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-8916MEDIUM4.5
org.bouncycastle:bcpkix-jdk18on
1.78.1
fixed in 1.79
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-68390MEDIUM4.17
org.elasticsearch.plugin:x-pack-core
8.18.1
fixed in 8.19.8, 9.1.8, 9.2.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-68161MEDIUM4.08
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.3
0.7%
Theoretical Threat
Directly Exposed
CVE-2025-68161MEDIUM4.08
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.3
0.7%
Theoretical Threat
Directly Exposed
CVE-2025-48924LOW3.7
org.apache.commons:commons-lang3
3.17.0
fixed in 3.18.0
2.2%
Low-Moderate Risk
Directly Exposed
CVE-2025-48924LOW3.7
org.apache.commons:commons-lang3
3.9
fixed in 3.18.0
2.2%
Low-Moderate Risk
Directly Exposed
CVE-2026-34479LOW2.29
org.apache.logging.log4j:log4j-1.2-api
2.19.0
fixed in 2.25.4
0.5%
Theoretical Threat
Post-Exploit
CVE-2025-14813LOW2.29
org.bouncycastle:bcprov-jdk18on
1.78.1
fixed in 1.80.2, 1.81.1, 1.84
0.3%
Theoretical Threat
Post-Exploit
GHSA-72hv-8253-57qqNONE0
com.fasterxml.jackson.core:jackson-core
2.15.0
fixed in 2.21.1, 2.18.6
Not Applicable
GHSA-72hv-8253-57qqNONE0
com.fasterxml.jackson.core:jackson-core
2.17.2
fixed in 2.21.1, 2.18.6
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.