Vulnerability Reportgoharbor/harbor-core:v2.14.4

goharbor/harbor-core:v2.14.4goharbor/harbor-core:v2.14.4-rc1

DIGESTsha256:8d3e4309e45488a013c2e3ad7c60c17581bba3ff718b545e2b40c7363f1a62c9

Executive Summary

Threat ScoreNEEDS ATTENTION• 32 exposed vulnerabilities found, with only 2 at medium-high severity (max 6.66).• CVE-2026-41889 (pgx SQL injection) requires non-default simple protocol; CVE-2026-45447 (openssl use-after-free) requires PKCS7 verify usage.• 48 post-exploit vulnerabilities all low severity (max 3.31), posing minimal risk.• Image is from a reputable community source (27M+ pulls, pinned by digest).• Threat score of 25 indicates low-medium risk level.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (27M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The two most notable vulnerabilities are CVE-2026-41889 and CVE-2026-45447, both requiring specific configurations or code paths to be exploitable. The remaining 30 exposed vulnerabilities are lower severity, and all post-exploit findings are low severity. Overall, the risk is moderate, but patching these two CVEs is advisable to reduce the attack surface.

Vulnerabilities

Vulnerability Log

81 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-41889	MEDIUM6.66	github.com/jackc/pgx/v4 v4.18.3 No fix yet	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45447	MEDIUM6.48	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-41888	MEDIUM5.52	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-34181	MEDIUM5.35	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM5.1	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-35172	MEDIUM5.1	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39820	MEDIUM5.1	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-7383	MEDIUM4.67	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.2.13-5.ph5 fixed in 1.3.2-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-libs 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-libs 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45186	LOW3.83	expat-libs 2.7.5-1.ph5 fixed in 2.8.1-1.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39826	LOW3.67	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-6429	LOW3.31	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5545	LOW3.31	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6429	LOW3.31	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-41080	LOW3.15	expat-libs 2.7.5-1.ph5 fixed in 2.8.0-1.ph5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33811	LOW3.06	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-42764	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.7% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW3.01	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.7% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7598	LOW2.78	libssh2 1.11.0-4.ph5 fixed in 1.11.1-3.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-32952	LOW2.7	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-4873	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6253	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-7009	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7168	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4873	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6253	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-7009	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7168	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33540	LOW2.63	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	LOW2.55	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-5773	LOW2.29	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6276	LOW2.29	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5773	LOW2.29	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6276	LOW2.29	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-32286	LOW2.29	github.com/jackc/pgproto3/v2 v2.3.3 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35206	LOW2.24	helm.sh/helm/v3 v3.18.5 fixed in 3.20.2	0.2% Theoretical Threat	Post-Exploit
CVE-2026-5545	LOW1.99	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW1.62	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.6% Theoretical Threat	Post-Exploit
CVE-2025-69720	NONE0	ncurses-libs 6.5-1.ph5 fixed in 6.5-2.ph5	0.4% Theoretical Threat	Not Applicable
BDSA-2026-9096	NONE0	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	—	Not Applicable
BDSA-2026-9096	NONE0	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	—	Not Applicable
BDSA-2026-9020	NONE0	libssh2 1.11.0-4.ph5 fixed in 1.11.1-3.ph5	—	Not Applicable
CVE-2026-42765	NONE0	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Not Applicable
CVE-2025-24358	NONE0	github.com/gorilla/csrf v1.7.2 fixed in 1.7.3	0.3% Theoretical Threat	Not Applicable
CVE-2025-47909	NONE0	github.com/gorilla/csrf v1.7.2 No fix yet	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable