Last scanned:
This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. Two denial-of-service vulnerabilities were found: CVE-2026-42504 (remote CPU exhaustion via crafted MIME headers) and CVE-2026-33630 (use-after-free in DNS resolution). Both are remotely exploitable but limited to denial of service, with no impact on data confidentiality or integrity. The image is from a trusted, verified publisher and has no post-exploit findings; updating the affected packages (stdlib, c-ares) is advised.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-42504 | MEDIUM6.38 | stdlib v1.26.3 fixed in 1.25.11, 1.26.4 | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-33630 | MEDIUM6 | c-ares 1.34.6-r0 fixed in 1.34.8-r0 | — | Directly ExposedContext importance: MEDIUM |
| CVE-2026-27145 | MEDIUM5.1 | stdlib v1.26.3 fixed in 1.25.11, 1.26.4 | 0.9% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-8927 | LOW3.82 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-8932 | LOW3.82 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9079 | LOW3.82 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-9545 | LOW3.82 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9546 | LOW3.82 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-8927 | LOW3.82 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-8932 | LOW3.82 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9079 | LOW3.82 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-9545 | LOW3.82 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9546 | LOW3.82 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-9547 | LOW3.77 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-9547 | LOW3.77 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-9080 | LOW3.72 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-9080 | LOW3.72 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-48096 | LOW3.6 | github.com/openfga/openfga v1.14.2 fixed in 1.16.0 | 0.1% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42507 | LOW3.6 | stdlib v1.26.3 fixed in 1.25.11, 1.26.4 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-11564 | LOW3.31 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-11856 | LOW3.31 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-8924 | LOW3.31 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-11564 | LOW3.31 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-11856 | LOW3.31 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-8924 | LOW3.31 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-8286 | LOW2.48 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-8925 | LOW2.48 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-8286 | LOW2.48 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-8925 | LOW2.48 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-8926 | LOW2.45 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-8926 | LOW2.45 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-10536 | LOW2.4 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-10536 | LOW2.4 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-11352 | LOW2.29 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-11586 | LOW2.29 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-12064 | LOW2.29 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-11352 | LOW2.29 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-11586 | LOW2.29 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-12064 | LOW2.29 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-21728 | LOW2.29 | github.com/grafana/tempo v1.5.1-0.20251027222923-cbe5f845dc7b fixed in 2.8.4, 2.9.2, 2.10.2 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-42151 | LOW2.29 | github.com/prometheus/prometheus v0.305.3 fixed in 0.311.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-28377 | LOW1.99 | github.com/grafana/tempo v1.5.1-0.20251027222923-cbe5f845dc7b fixed in 2.10.3 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-40179 | LOW1.87 | github.com/prometheus/prometheus v0.305.3 fixed in 0.311.2-0.20260410083055-07c6232d159b | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-44903 | LOW1.87 | github.com/prometheus/prometheus v0.305.3 fixed in 0.311.3 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-8458 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-8458 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-55689 | NONE0 | github.com/openfga/openfga v1.14.2 fixed in 1.18.0 | — | Not Applicable |
| CVE-2026-55170 | NONE0 | github.com/openfga/openfga v1.14.2 fixed in 1.18.0 | — | Not Applicable |
| GO-2026-5932 | NONE0 | golang.org/x/crypto v0.52.0 No fix yet | — | Not Applicable |
| CVE-2026-39822 | NONE0 | stdlib v1.26.4 fixed in 1.25.12, 1.26.5, 1.27.0-rc.2 | — | Not Applicable |
| CVE-2026-42505 | NONE0 | stdlib v1.26.4 fixed in 1.25.12, 1.26.5, 1.27.0-rc.2 | — | Not Applicable |
| CVE-2026-39822 | NONE0 | stdlib v1.26.3 fixed in 1.25.12, 1.26.5, 1.27.0-rc.2 | — | Not Applicable |
| CVE-2026-42505 | NONE0 | stdlib v1.26.3 fixed in 1.25.12, 1.26.5, 1.27.0-rc.2 | — | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.