Vulnerability Reportgocd/gocd-server:v24.3.0

gocd/gocd-server:v24.3.0

DIGESTsha256:4deaf609348a9153cb93699eb26e5d2cce206537572b05ad232b7fc8427cb72f

Executive Summary

Threat ScoreDANGEROUS• Over 199 vulnerabilities detected, including 26 with severity ≥7.0 (max 8.1).• Critical remote code execution risks from CVE-2026-45447 (OpenSSL use-after-free) and CVE-2021-42392 (H2 Console RCE).• Spring Framework contains multiple high-severity vulnerabilities (CVE-2022-22965) that could enable RCE under specific deployment conditions.• Image is popular but not official/verified; relies on community trust.• Some vulnerabilities require non-default configurations, reducing exposure but not eliminating risk.

98/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit CVE-2021-42392 and CVE-2022-22965 to achieve remote code execution, potentially compromising the entire server and sensitive data. Disabling the H2 Console fully mitigates the H2-related RCE vulnerabilities. Note that many vulnerabilities require specific configurations (e.g., WAR deployment, RegexRequestMatcher usage) to be exploitable, but the high volume and severity of issues make this image unsuitable for production without extensive remediation.

Vulnerabilities

Vulnerability Log

227 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	HIGH8.1	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-45447	HIGH8.1	libssl3 3.3.1-r4 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-22262	HIGH8.1	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly Exposed
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2016-1000027	HIGH8	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-34197	HIGH8	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libcrypto3 3.3.1-r4 fixed in 3.3.2-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libssl3 3.3.1-r4 fixed in 3.3.2-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-38819	HIGH7.8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	HIGH7.73	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.22 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-client 5.18.5 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-openwire-legacy 5.18.5 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libcrypto3 3.3.1-r4 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libssl3 3.3.1-r4 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	HIGH7.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-40466	HIGH7.04	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc 2.39-r7 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-en 2.39-r7 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-posix 2.39-r7 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	ld-linux 2.39-r7 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libcrypt1 2.39-r7 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 10.0.22 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-69421	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.18.5 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.78 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.3 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.3 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libcrypto3 3.3.1-r4 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libssl3 3.3.1-r4 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.3.1-r4 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.3.1-r4 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.39-r7 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-en 2.39-r7 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.39-r7 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	ld-linux 2.39-r7 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.39-r7 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.3.1-r4 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.3.1-r4 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.22 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.10.0.202406032230-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.39-r7 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-en 2.39-r7 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-posix 2.39-r7 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	ld-linux 2.39-r7 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libcrypt1 2.39-r7 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc 2.39-r7 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-en 2.39-r7 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-posix 2.39-r7 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	ld-linux 2.39-r7 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	libcrypt1 2.39-r7 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r3 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-12798	MEDIUM4.67	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.13, 1.3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.39-r7 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.39-r7 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-en 2.39-r7 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-en 2.39-r7 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-posix 2.39-r7 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.39-r7 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	ld-linux 2.39-r7 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.39-r7 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libcrypt1 2.39-r7 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.39-r7 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.78 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.78.1 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.22 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.39-r7 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.39-r7 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-en 2.39-r7 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-en 2.39-r7 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-posix 2.39-r7 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-posix 2.39-r7 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	ld-linux 2.39-r7 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	ld-linux 2.39-r7 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libcrypt1 2.39-r7 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libcrypt1 2.39-r7 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	libssl3 3.3.1-r4 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2024-13176	MEDIUM4	libcrypto3 3.3.1-r4 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libssl3 3.3.1-r4 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.36.1-r10 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2024-9143	LOW3.7	libcrypto3 3.3.1-r4 fixed in 3.3.3-r0	6.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9143	LOW3.7	libssl3 3.3.1-r4 fixed in 3.3.3-r0	6.0% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.15.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.18.5 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.18.5 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-26157	LOW3.57	busybox 1.36.1-r10 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.36.1-r10 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2025-8058	LOW3.57	glibc 2.39-r7 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-en 2.39-r7 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-posix 2.39-r7 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	ld-linux 2.39-r7 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	libcrypt1 2.39-r7 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.39-r7 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-en 2.39-r7 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.39-r7 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.39-r7 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.39-r7 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libcrypto3 3.3.1-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.3.1-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2021-22112	LOW3.17	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-46551	LOW3.15	rubygems:jruby-openssl 0.15.0 fixed in 0.15.4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.3.1-r4 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.3.1-r4 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2026-31789	LOW3	libcrypto3 3.3.1-r4 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.3.1-r4 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2024-22257	LOW3	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Post-Exploit
CVE-2024-12801	LOW2.8	ch.qos.logback:logback-core 1.5.6 fixed in 1.5.13, 1.3.15	0.2% Theoretical Threat	Directly Exposed
CVE-2025-60876	LOW2.75	busybox 1.36.1-r10 fixed in 1.37.0-r52	0.3% Theoretical Threat	Post-Exploit
CVE-2024-52006	LOW2.7	git 2.46.0-r1 fixed in 2.48.1-r0	1.0% Low-Moderate Risk	Post-Exploit
CVE-2024-52005	LOW2.69	git 2.46.0-r1 fixed in 2.49.0-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2024-50349	LOW2.4	git 2.46.0-r1 fixed in 2.48.1-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-0665	LOW2.4	curl 8.9.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	curl 8.9.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0665	LOW2.4	libcurl-openssl4 8.9.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	libcurl-openssl4 8.9.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2024-9681	LOW2.34	curl 8.9.1-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2024-9681	LOW2.34	libcurl-openssl4 8.9.1-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2024-11053	LOW2.12	curl 8.9.1-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-11053	LOW2.12	libcurl-openssl4 8.9.1-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-8096	LOW1.99	curl 8.9.1-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2024-8096	LOW1.99	libcurl-openssl4 8.9.1-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.36.1-r10 fixed in 1.37.0-r50	0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.36.1-r10 fixed in 1.37.0-r49	0.2% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	curl 8.9.1-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2026-32631	NONE0	git 2.46.0-r1 fixed in 2.54.0-r0	0.3% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libcrypto3 3.3.1-r4 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	libcurl-openssl4 8.9.1-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libssl3 3.3.1-r4 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.3.1-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.17.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.11.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable