Vulnerability Reportgocd/gocd-server:v25.3.0

gocd/gocd-server:v25.3.0

DIGESTsha256:5bf5ca517362b6f291d0ec007382cc6546ad0de2aca9a6c6cdf91d0f18d6cd8d

Executive Summary

Threat ScoreDANGEROUS• Threat score of 98 indicates critical risk.• 168 exposed vulnerabilities found, including 18 with severity >= 7.0, such as CVE-2026-45447 (8.1), CVE-2021-42392 (8.0), and CVE-2022-22965 (8.0).• Multiple CVEs allow remote code execution (e.g., CVE-2021-42392, CVE-2022-22965) or authorization bypass (CVE-2022-22978).• The image is widely used and pinned by digest, but the vulnerability burden is severe.

98/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via CVE-2021-42392 (H2) or CVE-2022-22965 (Spring4Shell). Disabling the H2 Console would fully mitigate CVE-2021-42392 and CVE-2022-23221; CVE-2022-22965 is only relevant if the application is deployed as a WAR on Tomcat with JDK 9+. However, given the presence of 18 high-severity vulnerabilities across multiple components, including Spring, OpenSSL, and ActiveMQ, the overall risk remains unacceptable.

Vulnerabilities

Vulnerability Log

181 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	HIGH8.1	libssl3 3.5.1-r1 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2016-1000027	HIGH8	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22965	HIGH8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-34197	HIGH8	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-38819	HIGH7.8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	HIGH7.73	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45445	HIGH7.73	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	HIGH7.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-40466	HIGH7.04	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-0861	MEDIUM6.88	glibc 2.41-r56 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-en 2.41-r56 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	glibc-locale-posix 2.41-r56 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	ld-linux 2.41-r56 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0861	MEDIUM6.88	libcrypt1 2.41-r56 fixed in 2.42-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM6.88	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-22257	MEDIUM6.66	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-22262	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-69421	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69421	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28386	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 6.1.7 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.79 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.81 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.3 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.7 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libcrypto3 3.5.1-r1 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9231	MEDIUM5.9	libssl3 3.5.1-r1 fixed in 3.5.4-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.5.1-r1 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.5.1-r1 fixed in 3.5.4-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.41-r56 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-en 2.41-r56 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.41-r56 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	ld-linux 2.41-r56 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.41-r56 fixed in 2.43-r4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.1-r1 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.1-r1 fixed in 3.6.1-r3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.79 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.5.18 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11187	MEDIUM5.18	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc 2.41-r56 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-en 2.41-r56 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	glibc-locale-posix 2.41-r56 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	ld-linux 2.41-r56 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2025-15281	MEDIUM5.02	libcrypt1 2.41-r56 fixed in 2.42-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.2-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r51 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc 2.41-r56 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.41-r56 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-en 2.41-r56 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-en 2.41-r56 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	glibc-locale-posix 2.41-r56 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.41-r56 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	ld-linux 2.41-r56 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.41-r56 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0915	MEDIUM4.5	libcrypt1 2.41-r56 fixed in 2.42-r6	0.6% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.41-r56 fixed in 2.43-r6	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.25 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.41-r56 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.41-r56 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-en 2.41-r56 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-en 2.41-r56 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-locale-posix 2.41-r56 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-locale-posix 2.41-r56 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	ld-linux 2.41-r56 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	ld-linux 2.41-r56 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libcrypt1 2.41-r56 fixed in 2.43-r7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libcrypt1 2.41-r56 fixed in 2.43-r7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.18 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	libssl3 3.5.1-r1 fixed in 3.6.1-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-68160	MEDIUM4	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.37.0-r47 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 6.1.7 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 6.1.7 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-26157	LOW3.57	busybox 1.37.0-r47 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.37.0-r47 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4438	LOW3.4	glibc 2.41-r56 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-en 2.41-r56 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.41-r56 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.41-r56 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.41-r56 fixed in 2.43-r4	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libcrypto3 3.5.1-r1 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.5.1-r1 fixed in 3.6.1-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2021-22112	LOW3.17	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.5.1-r1 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.5.1-r1 fixed in 3.5.4-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2026-31789	LOW3	libcrypto3 3.5.1-r1 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.1-r1 fixed in 3.6.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2025-60876	LOW2.75	busybox 1.37.0-r47 fixed in 1.37.0-r52	0.3% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.37.0-r47 fixed in 1.37.0-r50	0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.37.0-r47 fixed in 1.37.0-r49	0.2% Theoretical Threat	Not Applicable
CVE-2026-32631	NONE0	git 2.50.1-r1 fixed in 2.54.0-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.5.1-r1 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.19.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.12.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable