Vulnerability Reportgoharbor/harbor-core:v2.15.1

goharbor/harbor-core:v2.15.1goharbor/harbor-core:v2.15.1-rc2

DIGESTsha256:887a85b8ea98b76bfc9f715f1a0785bb99f9a1034241513902dd6e95be922a83

Executive Summary

Threat ScoreNEEDS ATTENTION• High reputation community image (27M+ pulls) with trusted publisher and pinned by digest.• Exposed surface contains 2 medium-severity vulnerabilities (CVE-2026-45447, severity 6.48) requiring specific conditions (PKCS#7 processing) for exploitation.• No high-severity exposed vulnerabilities (max severity 6.48) and no notable post-exploit findings.• Total of 27 exposed and 52 post-exploit vulnerabilities, all low to medium severity.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (27M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The highest-severity issue, CVE-2026-45447 (severity 6.48), affects OpenSSL and requires processing malicious PKCS#7 signed messages, which is not a default operation for this container. With 27 exposed vulnerabilities (all medium or lower) and a reliable community publisher, the risk is manageable with standard security practices.

Vulnerabilities

Vulnerability Log

80 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	MEDIUM6.48	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45447	MEDIUM6.48	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-41888	MEDIUM5.52	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-34181	MEDIUM5.35	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-35172	MEDIUM5.1	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-7383	MEDIUM4.67	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.2.13-5.ph5 fixed in 1.3.2-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-libs 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-libs 2.36-23.1.ph5 fixed in 2.43-3.ph5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41889	MEDIUM4	github.com/jackc/pgx/v4 v4.18.3 No fix yet	0.4% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-32952	LOW3.6	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-ExploitContext importance: MEDIUM
CVE-2026-6429	LOW3.31	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6429	LOW3.31	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-41080	LOW3.15	expat-libs 2.7.5-1.ph5 fixed in 2.8.0-1.ph5	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32286	LOW3.06	github.com/jackc/pgproto3/v2 v2.3.3 No fix yet	0.4% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-33811	LOW3.06	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-33814	LOW3.06	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-42764	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.7% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7598	LOW2.78	libssh2 1.11.0-4.ph5 fixed in 1.11.1-3.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW2.75	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4873	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6253	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-7009	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7168	LOW2.7	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4873	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6253	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-7009	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7168	LOW2.7	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33540	LOW2.63	github.com/distribution/distribution v2.8.2+incompatible No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	LOW2.55	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-5773	LOW2.29	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6276	LOW2.29	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5773	LOW2.29	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6276	LOW2.29	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45186	LOW2.29	expat-libs 2.7.5-1.ph5 fixed in 2.8.1-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35206	LOW2.24	helm.sh/helm/v3 v3.18.5 fixed in 3.20.2	0.2% Theoretical Threat	Post-Exploit
CVE-2026-5545	LOW1.99	curl 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5545	LOW1.99	curl-libs 8.19.0-1.ph5 fixed in 8.19.0-2.ph5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.7% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW1.62	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.6% Theoretical Threat	Post-Exploit
CVE-2025-69720	NONE0	ncurses-libs 6.5-1.ph5 fixed in 6.5-2.ph5	0.4% Theoretical Threat	Not Applicable
BDSA-2026-9096	NONE0	curl 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	—	Not Applicable
BDSA-2026-9096	NONE0	curl-libs 8.19.0-1.ph5 fixed in 8.20.0-1.ph5	—	Not Applicable
BDSA-2026-9020	NONE0	libssh2 1.11.0-4.ph5 fixed in 1.11.1-3.ph5	—	Not Applicable
CVE-2026-42765	NONE0	openssl 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	openssl-libs 3.0.18-3.ph5 fixed in 3.5.7-1.ph5	0.4% Theoretical Threat	Not Applicable
CVE-2025-24358	NONE0	github.com/gorilla/csrf v1.7.2 fixed in 1.7.3	0.3% Theoretical Threat	Not Applicable
CVE-2025-47909	NONE0	github.com/gorilla/csrf v1.7.2 No fix yet	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable