Vulnerability Reportgocd/gocd-server:v24.1.0

gocd/gocd-server:v24.1.0

DIGESTsha256:ebb65dff2d0d234a8d2af200a31b0ad89dc4c60eec26a5460400fbd1db036162

Executive Summary

Threat ScoreDANGEROUS• 245 total vulnerabilities, including 33 with severity ≥7.0 and multiple critical remote code execution (RCE) CVEs.• CVE-2016-1000027 (severity 10.0) enables unauthenticated RCE via Java deserialization in Spring's HttpInvokerServiceExporter, directly accessible on the web-facing GoCD server.• CVE-2024-32002 (severity 10.0) allows RCE when cloning malicious repositories with submodules—core GoCD functionality.• CVE-2026-34197 (severity 10.0) permits authenticated RCE via ActiveMQ's Jolokia JMX-HTTP bridge, leveraging Spring XML deserialization.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via Java deserialization (CVE-2016-1000027), malicious repository cloning (CVE-2024-32002), or the ActiveMQ Jolokia bridge (CVE-2026-34197), gaining full control of the server. Mitigation: disabling symbolic link support in Git (`git config --global core.symlinks false`) fully eliminates CVE-2024-32002. Note: CVE-2021-42392 and CVE-2022-23221 require the H2 Console to be exposed, which may not be enabled by default.

Vulnerabilities

Vulnerability Log

269 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2016-1000027	CRITICAL10	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2024-32002	CRITICAL10	git 2.45.0-r1 fixed in 2.45.1-r0	25.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-34197	CRITICAL10	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly Exposed
CVE-2024-38819	CRITICAL9.75	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly Exposed
CVE-2026-45447	HIGH8.1	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-45447	HIGH8.1	libssl3 3.3.0-r6 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-22262	HIGH8.1	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly Exposed
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libcrypto3 3.3.0-r6 fixed in 3.3.2-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libssl3 3.3.0-r6 fixed in 3.3.2-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	HIGH7.73	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.20 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2024-33599	HIGH7.6	glibc 2.39-r3 fixed in 2.39-r5	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-33599	HIGH7.6	glibc-locale-en 2.39-r3 fixed in 2.39-r5	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-33599	HIGH7.6	glibc-locale-posix 2.39-r3 fixed in 2.39-r5	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-33599	HIGH7.6	ld-linux 2.39-r3 fixed in 2.39-r5	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-33599	HIGH7.6	libcrypt1 2.39-r3 fixed in 2.39-r5	1.3% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-client 5.18.4 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-openwire-legacy 5.18.4 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libcrypto3 3.3.0-r6 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libssl3 3.3.0-r6 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	HIGH7.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-40466	HIGH7.04	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2021-22112	HIGH7.04	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc 2.39-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-en 2.39-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-posix 2.39-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	ld-linux 2.39-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libcrypt1 2.39-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-22257	MEDIUM6.66	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 10.0.20 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-69421	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.18.4 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.3 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.3 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2024-52006	MEDIUM6	git 2.45.0-r1 fixed in 2.48.1-r0	1.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-52005	MEDIUM5.98	git 2.45.0-r1 fixed in 2.49.0-r0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-7264	MEDIUM5.98	curl 8.7.1-r2 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-7264	MEDIUM5.98	libcurl-openssl4 8.7.1-r2 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-9231	MEDIUM5.9	libcrypto3 3.3.0-r6 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libcrypto3 3.3.0-r6 fixed in 3.3.1-r3	5.6% Low-Moderate Risk	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libssl3 3.3.0-r6 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libssl3 3.3.0-r6 fixed in 3.3.1-r3	5.6% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.3.0-r6 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libcrypto3 3.3.0-r6 fixed in 3.3.1-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.3.0-r6 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libssl3 3.3.0-r6 fixed in 3.3.1-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.39-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-en 2.39-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.39-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	ld-linux 2.39-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.39-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.3.0-r6 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.3.0-r6 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.20 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-33600	MEDIUM5.3	glibc 2.39-r3 fixed in 2.39-r5	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-33600	MEDIUM5.3	glibc-locale-en 2.39-r3 fixed in 2.39-r5	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-33600	MEDIUM5.3	glibc-locale-posix 2.39-r3 fixed in 2.39-r5	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-33600	MEDIUM5.3	ld-linux 2.39-r3 fixed in 2.39-r5	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-33600	MEDIUM5.3	libcrypt1 2.39-r3 fixed in 2.39-r5	1.2% Low-Moderate Risk	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libcrypto3 3.3.0-r6 fixed in 3.3.0-r8	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libssl3 3.3.0-r6 fixed in 3.3.0-r8	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.9.0.202403050737-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.39-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-en 2.39-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-posix 2.39-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	ld-linux 2.39-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libcrypt1 2.39-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc 2.39-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-en 2.39-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-posix 2.39-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	ld-linux 2.39-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	libcrypt1 2.39-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r1 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-12798	MEDIUM4.67	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.13, 1.3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.39-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.39-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-en 2.39-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-en 2.39-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-posix 2.39-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.39-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	ld-linux 2.39-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.39-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libcrypt1 2.39-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.39-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.20 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.39-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.39-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-en 2.39-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-en 2.39-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-posix 2.39-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-posix 2.39-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	ld-linux 2.39-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	ld-linux 2.39-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libcrypt1 2.39-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libcrypt1 2.39-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	libssl3 3.3.0-r6 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2024-13176	MEDIUM4	libcrypto3 3.3.0-r6 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libssl3 3.3.0-r6 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-33601	MEDIUM4	glibc 2.39-r3 fixed in 2.39-r5	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-33601	MEDIUM4	glibc-locale-en 2.39-r3 fixed in 2.39-r5	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-33601	MEDIUM4	glibc-locale-posix 2.39-r3 fixed in 2.39-r5	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-33601	MEDIUM4	ld-linux 2.39-r3 fixed in 2.39-r5	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-33601	MEDIUM4	libcrypt1 2.39-r3 fixed in 2.39-r5	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.36.1-r8 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2024-32465	LOW3.98	git 2.45.0-r1 fixed in 2.45.1-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2024-9681	LOW3.9	curl 8.7.1-r2 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9681	LOW3.9	libcurl-openssl4 8.7.1-r2 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9143	LOW3.7	libcrypto3 3.3.0-r6 fixed in 3.3.3-r0	6.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9143	LOW3.7	libssl3 3.3.0-r6 fixed in 3.3.3-r0	6.0% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.14.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.18.4 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.18.4 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2024-32021	LOW3.62	git 2.45.0-r1 fixed in 2.45.1-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2026-26157	LOW3.57	busybox 1.36.1-r8 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.36.1-r8 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2025-8058	LOW3.57	glibc 2.39-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-en 2.39-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-posix 2.39-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	ld-linux 2.39-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	libcrypt1 2.39-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2024-11053	LOW3.54	curl 8.7.1-r2 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-11053	LOW3.54	libcurl-openssl4 8.7.1-r2 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-33602	LOW3.4	glibc 2.39-r3 fixed in 2.39-r5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.39-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2024-33602	LOW3.4	glibc-locale-en 2.39-r3 fixed in 2.39-r5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-en 2.39-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2024-33602	LOW3.4	glibc-locale-posix 2.39-r3 fixed in 2.39-r5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.39-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2024-33602	LOW3.4	ld-linux 2.39-r3 fixed in 2.39-r5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.39-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2024-33602	LOW3.4	libcrypt1 2.39-r3 fixed in 2.39-r5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.39-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libcrypto3 3.3.0-r6 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.3.0-r6 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2024-8096	LOW3.31	curl 8.7.1-r2 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2024-8096	LOW3.31	libcurl-openssl4 8.7.1-r2 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-46551	LOW3.15	rubygems:jruby-openssl 0.14.5 fixed in 0.15.4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.3.0-r6 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.3.0-r6 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2026-31789	LOW3	libcrypto3 3.3.0-r6 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.3.0-r6 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2024-32004	LOW2.81	git 2.45.0-r1 fixed in 2.45.1-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2024-12801	LOW2.8	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.13, 1.3.15	0.2% Theoretical Threat	Directly Exposed
CVE-2025-60876	LOW2.75	busybox 1.36.1-r8 fixed in 1.37.0-r52	0.3% Theoretical Threat	Post-Exploit
CVE-2024-50349	LOW2.4	git 2.45.0-r1 fixed in 2.48.1-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-0665	LOW2.4	curl 8.7.1-r2 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	curl 8.7.1-r2 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0665	LOW2.4	libcurl-openssl4 8.7.1-r2 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	libcurl-openssl4 8.7.1-r2 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.36.1-r8 fixed in 1.37.0-r50	0.1% Theoretical Threat	Post-Exploit
CVE-2024-32020	LOW1.68	git 2.45.0-r1 fixed in 2.45.1-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.36.1-r8 fixed in 1.37.0-r49	0.2% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	curl 8.7.1-r2 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2026-32631	NONE0	git 2.45.0-r1 fixed in 2.54.0-r0	0.3% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libcrypto3 3.3.0-r6 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	libcurl-openssl4 8.7.1-r2 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libssl3 3.3.0-r6 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.3.0-r6 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.17.1 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.10.1 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable