Vulnerability Reportgitea/act_runner:0.5.0

gitea/act_runner:0.5gitea/act_runner:0.5.0

DIGESTsha256:9946000491cf19c3ed487c23e5da4f0c287010d791f495796c756e41e7a79cbe

Executive Summary

Threat ScoreCAUTION• 12 exposed vulnerabilities with severity >= 6.0 (max 6.66) out of 72 total; post-exploit findings are low (max 2.92).• CVE-2026-33747 (severity 6.66) – arbitrary file write/code execution via untrusted BuildKit frontend, requires special configuration.• CVE-2026-45570 (severity 6.53) – remote command injection when cloning malicious repos via SSH.• CVE-2026-34040 (severity 6.24) – authorization bypass via Docker socket, requires local access.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (7M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit CVE-2026-45570 to execute arbitrary commands when the runner clones a malicious repository via SSH, or exploit CVE-2026-34040 to bypass authorization plugins if the Docker socket is accessible. Disabling SSH cloning or using only trusted repository sources would fully mitigate CVE-2026-45570. Note that CVE-2026-33747 requires a specially configured untrusted BuildKit frontend, which is not the default.

Vulnerabilities

Vulnerability Log

91 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-33747	MEDIUM6.66	github.com/moby/buildkit v0.13.2 fixed in 0.28.1	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45570	MEDIUM6.53	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45186	MEDIUM6.38	libexpat 2.7.5-r0 fixed in 2.8.1-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM6.38	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39830	MEDIUM6.38	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42508	MEDIUM6.29	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34040	MEDIUM6.24	github.com/docker/docker v25.0.13+incompatible fixed in 29.3.1	8.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-42306	MEDIUM6.12	github.com/docker/docker v25.0.13+incompatible No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-46595	MEDIUM6.03	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.50.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33748	MEDIUM5.1	github.com/moby/buildkit v0.13.2 fixed in 0.28.1	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39829	MEDIUM5.1	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	golang.org/x/net v0.50.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27141	MEDIUM4.5	golang.org/x/net v0.50.0 fixed in 0.51.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41568	LOW3.31	github.com/docker/docker v25.0.13+incompatible No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41080	LOW3.15	libexpat 2.7.5-r0 fixed in 2.8.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-3783	LOW2.91	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33997	LOW2.48	github.com/docker/docker v25.0.13+incompatible fixed in 29.3.1	0.3% Theoretical Threat	Post-Exploit
CVE-2025-15558	LOW2.45	github.com/docker/cli v25.0.7+incompatible fixed in 29.2.0	0.4% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-27135	LOW2.29	nghttp2-libs 1.68.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-1965	LOW2.08	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW2.08	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW1.99	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW1.99	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW1.93	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-46680	NONE0	github.com/containerd/containerd v1.7.29 fixed in 1.7.32	—	Not Applicable
CVE-2026-53488	NONE0	github.com/containerd/containerd v1.7.29 fixed in 1.7.33	—	Not Applicable
CVE-2026-47262	NONE0	github.com/containerd/containerd v1.7.29 fixed in 1.7.33	—	Not Applicable
CVE-2026-41567	NONE0	github.com/docker/docker v25.0.13+incompatible No fix yet	0.1% Theoretical Threat	Not Applicable
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.8.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.18.0 fixed in 5.19.1	—	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.48.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.50.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.50.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.50.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.50.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.50.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.41.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable