Vulnerability Reportfluxcd/flux-cli:v2.8.7

fluxcd/flux-cli:v2.8.7

DIGESTsha256:4bd0394705637ad5dfd63d70893a56c980d2e438def0b8a4579d54fad9be9593

Executive Summary

Threat ScoreCAUTION• 86 vulnerabilities found, including 16 with severity >=6.0 (max 6.8).• Top findings: CVE-2025-68121 (TLS certificate bypass, 6.8), CVE-2026-34183 (QUIC DoS, 6.38), CVE-2026-33814 (HTTP/2 DoS, 6.38).• Image is from popular community publisher, pinned by digest, with high trust score.• No post-exploitation vulnerabilities identified.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (3M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit TLS certificate validation bypass (CVE-2025-68121) if the TLS configuration is dynamically mutated, or cause denial of service via QUIC or HTTP/2 attacks (CVE-2026-34183, CVE-2026-33814). Note that CVE-2025-68121 requires a non-default TLS configuration, reducing its exploitability. Updating affected libraries (Go, OpenSSL) is recommended.

Vulnerabilities

Vulnerability Log

102 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-68121	MEDIUM6.8	stdlib v1.25.5 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM6.38	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39829	MEDIUM6.38	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39830	MEDIUM6.38	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	golang.org/x/net v0.47.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41506	MEDIUM6.29	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42508	MEDIUM6.29	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-46595	MEDIUM6.03	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32952	MEDIUM6	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-35469	MEDIUM5.52	github.com/moby/spdystream v0.5.0 fixed in 0.5.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32280	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-35206	LOW3.74	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45570	LOW2.94	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33186	LOW2.78	google.golang.org/grpc v1.78.0 fixed in 1.79.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35204	LOW2.63	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39821	LOW2.51	golang.org/x/net v0.53.0 fixed in 0.55.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39821	LOW2.51	golang.org/x/net v0.47.0 fixed in 0.55.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-35205	LOW2.39	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.36.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-61726	LOW2.29	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Post-Exploit
CVE-2026-25679	LOW2.29	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Post-Exploit
CVE-2025-61728	LOW2.29	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.7.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.7.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	—	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.43.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.38.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable