Vulnerability Reportfluent/fluent-bit:5.0.3

fluent/fluent-bit:5.0.3

DIGESTsha256:ed82cb1f929b6f5a11c70d34e417e8ae25f130f7cc467460b718a946df84d562

Executive Summary

Threat ScoreCAUTION• 15 exposed vulnerabilities with severity ≥6.0, including CVE-2026-6478 (6.97, credential timing in PostgreSQL) and CVE-2026-42010 (6.66, auth bypass if RSA-PSK enabled).• No critical or high-severity vulnerabilities (none ≥7.0) and all post-exploit findings are low severity (max 3.53).• Image has high community trust (15B+ pulls) and is pinned by digest, reducing supply chain risk.• Many vulnerabilities require specific configurations (e.g., RSA-PSK for CVE-2026-42010) or have low exploit probability (EPSS ≤0.01).

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (15282M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. 86 moderate-severity vulnerabilities exist, but none reach critical severity. An attacker could recover MD5-hashed PostgreSQL passwords via timing (CVE-2026-6478) or bypass TLS authentication if RSA-PSK is enabled (CVE-2026-42010). Mitigations include using scram-sha-256 passwords and disabling RSA-PSK. Most other issues are denial-of-service and conditionally exploitable. Post-exploit vulnerabilities are low severity (max 3.53), limiting impact after compromise.

Vulnerabilities

Vulnerability Log

118 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-6478	MEDIUM6.97	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42010	MEDIUM6.66	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-29111	MEDIUM6.63	libsystemd0 257.9-1~deb13u1 fixed in 257.13-1~deb13u1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-41989	MEDIUM6.38	libgcrypt20 1.11.0-7 fixed in 1.11.0-7+deb13u1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM6.38	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM6.38	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	libnghttp2-14 1.64.0-1.1 fixed in 1.64.0-1.1+deb13u1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-3833	MEDIUM6.29	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42011	MEDIUM6.29	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33845	MEDIUM6.18	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42012	MEDIUM6.03	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.3% Theoretical Threat	Directly Exposed
CVE-2018-20796	MEDIUM6	libc6 2.41-12+deb13u2 No fix yet	5.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2019-9192	MEDIUM6	libc6 2.41-12+deb13u2 No fix yet	2.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-4878	MEDIUM5.95	libcap2 1:2.75-10+b8 fixed in 1:2.75-10+deb13u1	0.2% Theoretical Threat	Directly Exposed
CVE-2024-2236	MEDIUM5.9	libgcrypt20 1.11.0-7 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-26461	MEDIUM5.9	libgssapi-krb5-2 1.21.3-5 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-26461	MEDIUM5.9	libk5crypto3 1.21.3-5 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-26461	MEDIUM5.9	libkrb5-3 1.21.3-5 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-26461	MEDIUM5.9	libkrb5support0 1.21.3-5 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-13151	MEDIUM5.9	libtasn1-6 4.20.0-2 No fix yet	1.1% Low-Moderate Risk	Directly Exposed
CVE-2026-22185	MEDIUM5.78	libldap2 2.6.10+dfsg-1 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-6477	MEDIUM5.71	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-6475	MEDIUM5.7	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4105	MEDIUM5.7	libsystemd0 257.9-1~deb13u1 fixed in 257.13-1~deb13u1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-42014	MEDIUM5.61	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.2% Theoretical Threat	Directly Exposed
CVE-2011-3389	MEDIUM5.59	libgnutls30t64 3.8.9-3+deb13u2 No fix yet	73.3% Actively Exploited	Directly Exposed
CVE-2026-42013	MEDIUM5.58	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5260	MEDIUM5.58	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4437	MEDIUM5.52	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.41-12+deb13u2 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40225	MEDIUM5.44	libsystemd0 257.9-1~deb13u1 fixed in 257.13-1~deb13u1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-40226	MEDIUM5.44	libsystemd0 257.9-1~deb13u1 fixed in 257.13-1~deb13u1	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2019-1010024	MEDIUM5.3	libc6 2.41-12+deb13u2 No fix yet	3.2% Low-Moderate Risk	Directly Exposed
CVE-2019-1010025	MEDIUM5.3	libc6 2.41-12+deb13u2 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.41-12+deb13u2 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	libgssapi-krb5-2 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	libgssapi-krb5-2 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2024-26458	MEDIUM5.02	libgssapi-krb5-2 1.21.3-5 No fix yet	0.8% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	libk5crypto3 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	libk5crypto3 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2024-26458	MEDIUM5.02	libk5crypto3 1.21.3-5 No fix yet	0.8% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	libkrb5-3 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	libkrb5-3 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2024-26458	MEDIUM5.02	libkrb5-3 1.21.3-5 No fix yet	0.8% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	libkrb5support0 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	libkrb5support0 1.21.3-5 fixed in 1.21.3-5+deb13u1	0.5% Theoretical Threat	Directly Exposed
CVE-2024-26458	MEDIUM5.02	libkrb5support0 1.21.3-5 No fix yet	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib1g 1:1.3.dfsg+really1.3.1-1+b1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-6472	MEDIUM4.59	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM4.5	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	liblzma5 5.8.1-1 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2023-31437	MEDIUM4.5	libsystemd0 257.9-1~deb13u1 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2023-31438	MEDIUM4.5	libsystemd0 257.9-1~deb13u1 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2023-31439	MEDIUM4.5	libsystemd0 257.9-1~deb13u1 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libc6 2.41-12+deb13u2 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libc6 2.41-12+deb13u2 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-11850	MEDIUM4.25	libgssapi-krb5-2 1.21.3-5 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-11850	MEDIUM4.25	libk5crypto3 1.21.3-5 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-11850	MEDIUM4.25	libkrb5-3 1.21.3-5 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-11850	MEDIUM4.25	libkrb5support0 1.21.3-5 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2020-15719	MEDIUM4.2	libldap2 2.6.10+dfsg-1 No fix yet	2.4% Low-Moderate Risk	Directly Exposed
CVE-2017-14159	MEDIUM4	libldap2 2.6.10+dfsg-1 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2010-4756	MEDIUM4	libc6 2.41-12+deb13u2 No fix yet	2.6% Low-Moderate Risk	Directly Exposed
CVE-2026-6474	LOW3.65	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.2% Theoretical Threat	Directly Exposed
CVE-2019-1010022	LOW3.53	libc6 2.41-12+deb13u2 No fix yet	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-4438	LOW3.4	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-6429	LOW3.31	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.7% Theoretical Threat	Post-Exploit
CVE-2019-1010023	LOW3.17	libc6 2.41-12+deb13u2 No fix yet	3.1% Low-Moderate Risk	Post-Exploit
CVE-2026-3832	LOW3.15	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.15	libgnutls30t64 3.8.9-3+deb13u2 fixed in 3.8.9-3+deb13u4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-10966	LOW3.01	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-3783	LOW2.91	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2013-4392	LOW2.8	libsystemd0 257.9-1~deb13u1 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40228	LOW2.8	libsystemd0 257.9-1~deb13u1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7598	LOW2.78	libssh2-1t64 1.11.1-1 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Post-Exploit
CVE-2018-6829	LOW2.7	libgcrypt20 1.11.0-7 No fix yet	1.8% Low-Moderate Risk	Post-Exploit
CVE-2018-5709	LOW2.7	libgssapi-krb5-2 1.21.3-5 No fix yet	2.1% Low-Moderate Risk	Post-Exploit
CVE-2018-5709	LOW2.7	libk5crypto3 1.21.3-5 No fix yet	2.1% Low-Moderate Risk	Post-Exploit
CVE-2018-5709	LOW2.7	libkrb5-3 1.21.3-5 No fix yet	2.1% Low-Moderate Risk	Post-Exploit
CVE-2018-5709	LOW2.7	libkrb5support0 1.21.3-5 No fix yet	2.1% Low-Moderate Risk	Post-Exploit
CVE-2015-3276	LOW2.7	libldap2 2.6.10+dfsg-1 No fix yet	5.3% Low-Moderate Risk	Post-Exploit
CVE-2017-17740	LOW2.7	libldap2 2.6.10+dfsg-1 No fix yet	7.0% Low-Moderate Risk	Post-Exploit
CVE-2026-4873	LOW2.7	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6253	LOW2.7	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.5% Theoretical Threat	Post-Exploit
CVE-2026-7168	LOW2.7	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6473	LOW2.69	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6638	LOW2.69	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.2% Theoretical Threat	Post-Exploit
CVE-2025-15079	LOW2.48	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.5% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2025-15224	LOW2.4	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5773	LOW2.29	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6276	LOW2.29	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2025-13034	LOW2.08	libcurl4t64 8.14.1-2+deb13u2 fixed in 8.14.1-2+deb13u3	0.2% Theoretical Threat	Post-Exploit
CVE-2026-1965	LOW2.08	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW2.08	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW1.99	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5545	LOW1.99	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW1.99	libcurl4t64 8.14.1-2+deb13u2 No fix yet	0.6% Theoretical Threat	Post-Exploit
CVE-2026-6476	NONE0	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.3% Theoretical Threat	Not Applicable
CVE-2026-6479	NONE0	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.5% Theoretical Threat	Not Applicable
CVE-2026-6637	NONE0	libpq5 17.9-0+deb13u1 fixed in 17.10-0+deb13u1	0.4% Theoretical Threat	Not Applicable