Vulnerability Reportgocd/gocd-server:v24.5.0

gocd/gocd-server:v24.5.0

DIGESTsha256:3450e0c66a50cb82cf82808495e28f6611badaf1920db132a8bdb1f8b234bf8f

Executive Summary

Threat ScoreDANGEROUS• 200 total vulnerabilities with 22 rated critical or high (CVSS >=7.0) and a maximum severity of 8.0.• Contains multiple remote code execution vulnerabilities (e.g., CVE-2021-42392, CVE-2022-22965, CVE-2022-22978) that could allow an attacker to fully compromise the GoCD server.• The image is based on an unknown Linux distribution, making patch management uncertain.• Despite being a popular community image (9M+ pulls), the sheer volume and severity of vulnerabilities outweigh the trust reputation.• 14 post-exploit vulnerabilities exist, but all are low severity (max 3.98) and do not reduce the critical risk from exposed surface.

98/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution or authorization bypass, potentially gaining full control of the GoCD server and accessing sensitive data or disrupting CI/CD pipelines. Note: Some vulnerabilities require non-default configurations (e.g., H2 Console exposure, WAR deployment on Tomcat), but given the high count of critical issues, the image remains unsafe.

Vulnerabilities

Vulnerability Log

214 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2016-1000027	HIGH8	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-34197	HIGH8	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-38819	HIGH7.8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	HIGH7.73	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.24 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-client 5.18.6 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-openwire-legacy 5.18.6 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libcrypto3 3.4.0-r4 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2024-12797	HIGH7.4	libssl3 3.4.0-r4 fixed in 3.4.1-r0	2.4% Low-Moderate Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	HIGH7.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-40466	HIGH7.04	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2021-22112	HIGH7.04	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc 2.40-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-en 2.40-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-posix 2.40-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	ld-linux 2.40-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libcrypt1 2.40-r3 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-22257	MEDIUM6.66	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-22262	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-69421	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.18.6 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.78 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.79 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.3 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.4 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM6	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Directly Exposed
CVE-2025-15467	MEDIUM6	libssl3 3.4.0-r4 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Directly Exposed
CVE-2024-52006	MEDIUM6	git 2.47.1-r0 fixed in 2.48.1-r0	1.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-52005	MEDIUM5.98	git 2.47.1-r0 fixed in 2.49.0-r0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-9231	MEDIUM5.9	libcrypto3 3.4.0-r4 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libssl3 3.4.0-r4 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.4.0-r4 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.4.0-r4 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.40-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-en 2.40-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.40-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	ld-linux 2.40-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.40-r3 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.4.0-r4 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.4.0-r4 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.79 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.24 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.5.14 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.10.0.202406032230-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.40-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-en 2.40-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-posix 2.40-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	ld-linux 2.40-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libcrypt1 2.40-r3 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-49146	MEDIUM5.02	org.postgresql:postgresql 42.7.4 fixed in 42.7.7	0.5% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libcrypto3 3.4.0-r4 fixed in 3.6.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3 3.4.0-r4 fixed in 3.6.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	MEDIUM4.86	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-45447	MEDIUM4.86	libssl3 3.4.0-r4 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc 2.40-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-en 2.40-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	glibc-locale-posix 2.40-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	ld-linux 2.40-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-0395	MEDIUM4.67	libcrypt1 2.40-r3 fixed in 2.40-r6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r4 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.40-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.40-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-en 2.40-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-en 2.40-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-posix 2.40-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.40-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	ld-linux 2.40-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.40-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libcrypt1 2.40-r3 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.40-r3 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.78 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.24 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.40-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.40-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-en 2.40-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-en 2.40-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-posix 2.40-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-posix 2.40-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	ld-linux 2.40-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	ld-linux 2.40-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libcrypt1 2.40-r3 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libcrypt1 2.40-r3 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.14 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libcrypto3 3.4.0-r4 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libssl3 3.4.0-r4 fixed in 3.4.0-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.37.0-r0 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.17.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.18.6 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.18.6 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-26157	LOW3.57	busybox 1.37.0-r0 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.37.0-r0 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2025-8058	LOW3.57	glibc 2.40-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-en 2.40-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-posix 2.40-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	ld-linux 2.40-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	libcrypt1 2.40-r3 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.40-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-en 2.40-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.40-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.40-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.40-r3 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libcrypto3 3.4.0-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.4.0-r4 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-46551	LOW3.15	rubygems:jruby-openssl 0.15.0 fixed in 0.15.4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.4.0-r4 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.4.0-r4 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-60876	LOW2.75	busybox 1.37.0-r0 fixed in 1.37.0-r52	0.3% Theoretical Threat	Post-Exploit
CVE-2024-50349	LOW2.4	git 2.47.1-r0 fixed in 2.48.1-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-0665	LOW2.4	curl 8.11.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	curl 8.11.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0665	LOW2.4	libcurl-openssl4 8.11.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	libcurl-openssl4 8.11.1-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.37.0-r0 fixed in 1.37.0-r50	0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.37.0-r0 fixed in 1.37.0-r49	0.2% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	curl 8.11.1-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2026-32631	NONE0	git 2.47.1-r0 fixed in 2.54.0-r0	0.3% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libcrypto3 3.4.0-r4 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	libcurl-openssl4 8.11.1-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libssl3 3.4.0-r4 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.4.0-r4 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.18.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.11.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable