Vulnerability Reportgocd/gocd-server:v25.2.0

gocd/gocd-server:v25.2.0

DIGESTsha256:5ff5960299d1c2f8b01b25ef57008d2e5802035fca40d73aaa7a8f753ea6bc23

Executive Summary

Threat ScoreDANGEROUS• Exposed surface includes 178 vulnerabilities, 18 of which are critical (severity >=7) with a maximum severity of 10.0.• Multiple critical CVEs allow remote exploitation: CVE-2022-22978 (authorization bypass), CVE-2016-1000027 (unauthenticated RCE), and CVE-2026-34197 (authenticated RCE via ActiveMQ Jolokia).• Image is from a popular community publisher (9M+ pulls) and pinned by digest, but lacks official verification, increasing supply chain risk.• Most critical vulnerabilities require no special configuration and are directly network-accessible.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve unauthorized access to sensitive data, remote code execution, and complete takeover of the CI/CD server by exploiting vulnerabilities such as CVE-2022-22978 and CVE-2016-1000027. While some vulnerabilities like those in H2 Console (CVE-2021-42392, CVE-2022-23221) can be fully mitigated by disabling the H2 Console, and CVE-2022-22965 is only exploitable if deployed as a WAR on Tomcat, the remaining critical flaws are directly exploitable without special conditions. This image must be patched urgently before any production use.

Vulnerabilities

Vulnerability Log

193 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-22978	CRITICAL10	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2022-22978	CRITICAL10	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2016-1000027	CRITICAL10	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-34197	CRITICAL10	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-38819	CRITICAL9.75	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-22259	HIGH8.1	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2024-22262	HIGH8.1	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	HIGH7.73	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2026-40466	HIGH7.04	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc 2.41-r2 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-en 2.41-r2 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-posix 2.41-r2 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	ld-linux 2.41-r2 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libcrypt1 2.41-r2 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-22257	MEDIUM6.66	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.19.0 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.79 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.80 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.3 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.5 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libcrypto3 3.5.0-r0 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libssl3 3.5.0-r0 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.5.0-r0 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.5.0-r0 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.41-r2 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-en 2.41-r2 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.41-r2 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	ld-linux 2.41-r2 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.41-r2 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.0-r0 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.0-r0 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.79 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.80 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.5.18 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.10.0.202406032230-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.41-r2 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-en 2.41-r2 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-posix 2.41-r2 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	ld-linux 2.41-r2 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libcrypt1 2.41-r2 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-49146	MEDIUM5.02	org.postgresql:postgresql 42.7.5 fixed in 42.7.7	0.5% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r6 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.41-r2 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.41-r2 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-en 2.41-r2 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-en 2.41-r2 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-posix 2.41-r2 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.41-r2 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	ld-linux 2.41-r2 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.41-r2 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libcrypt1 2.41-r2 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.41-r2 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.41-r2 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.41-r2 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-en 2.41-r2 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-en 2.41-r2 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-posix 2.41-r2 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-posix 2.41-r2 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	ld-linux 2.41-r2 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	ld-linux 2.41-r2 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libcrypt1 2.41-r2 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libcrypt1 2.41-r2 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.18 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	libssl3 3.5.0-r0 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-68160	MEDIUM4	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.37.0-r40 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.17.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.19.0 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.19.0 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-26157	LOW3.57	busybox 1.37.0-r40 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.37.0-r40 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2025-8058	LOW3.57	glibc 2.41-r2 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-en 2.41-r2 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	glibc-locale-posix 2.41-r2 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	ld-linux 2.41-r2 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2025-8058	LOW3.57	libcrypt1 2.41-r2 fixed in 2.41-r56	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.41-r2 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-en 2.41-r2 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.41-r2 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.41-r2 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.41-r2 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libcrypto3 3.5.0-r0 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.5.0-r0 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	LOW3.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Post-Exploit
CVE-2021-22112	LOW3.17	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-46551	LOW3.15	rubygems:jruby-openssl 0.15.3 fixed in 0.15.4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.5.0-r0 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.5.0-r0 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2026-31789	LOW3	libcrypto3 3.5.0-r0 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.0-r0 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.0-r0 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2025-60876	LOW2.75	busybox 1.37.0-r40 fixed in 1.37.0-r52	0.3% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.37.0-r40 fixed in 1.37.0-r50	0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.37.0-r40 fixed in 1.37.0-r49	0.2% Theoretical Threat	Not Applicable
CVE-2026-32631	NONE0	git 2.49.0-r1 fixed in 2.54.0-r0	0.3% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libcrypto3 3.5.0-r0 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2025-4575	NONE0	libssl3 3.5.0-r0 fixed in 3.5.1-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.5.0-r0 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.19.0 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.11.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable