Vulnerability Reporthyness/spring-cloud-config-server:5.0.1

hyness/spring-cloud-config-server:5.0.1-77dad0b-jre17hyness/spring-cloud-config-server:5.0.1

DIGESTsha256:7ed3fd20023a486ab1a12ae29fdb56155bce023ac89f0d50642c0eab4f593e85

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling (CVE-2026-42581) to bypass security controls and gain unauthorized access, or leverage directory traversal (CVE-2026-40982) to leak sensitive configuration data. While the image is from a reputable community publisher, the presence of 85 exposed vulnerabilities—including 23 with severity ≥6.0—and the absence of official verification render it unsuitable for production. Upgrading to patched versions of Netty and Spring Cloud Config is required.

Threat Score

75/100

DANGEROUS

Critical CVE-2026-42581 (CVSS 8.33) enables HTTP request smuggling, allowing unauthorized access to protected endpoints.
85 exposed vulnerabilities discovered, 23 with severity ≥6.0, including CVE-2026-40982 (directory traversal) and multiple Netty request smuggling issues (CVE-2026-42585).
Image is popular (18M+ pulls) and pinned by digest but not officially verified; high-risk findings directly affect the config server's network attack surface.
Post-exploit findings are low severity (max 4.08) and require attacker-controlled DNS, posing minimal practical risk.

Reputation

RELIABLE

hyness

POPULAR COMMUNITY

High Reputation Community Image (18M+ pulls)
Pinned by digest (Immutable)

Vulnerabilities

Vulnerability Log

147 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-40982	MEDIUM6.97	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.8% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45447	MEDIUM6.48	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-28389	MEDIUM6.38	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Directly Exposed
CVE-2026-44894	MEDIUM6.38	io.netty:netty-codec-classes-quic 4.2.9.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.9 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2026-40981	MEDIUM6.38	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-29062	MEDIUM6.38	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM6.21	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-41293	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-32990	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.53, 11.0.20	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40976	MEDIUM6.18	org.springframework.boot:spring-boot 4.0.2 fixed in 4.0.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 4.0.2 fixed in 4.0.6, 3.5.14	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 4.1.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-43512	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.117, 10.1.54, 11.0.21	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42498	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2026-41726	MEDIUM5.52	org.springframework.kafka:spring-kafka 4.0.2 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22753	MEDIUM5.52	org.springframework.security:spring-security-config 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 7.0.2 fixed in 6.5.9, 7.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webflux 7.0.3 fixed in 7.0.6, 6.2.17	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22740	MEDIUM5.52	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.6, 6.2.17	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41002	MEDIUM5.5	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22747	MEDIUM5.5	org.springframework.security:spring-security-web 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-24734	MEDIUM5.1	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 11.0.18, 10.1.52, 9.0.115	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22754	MEDIUM5.1	org.springframework.security:spring-security-config 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.54, 11.0.21	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45674	MEDIUM4.08	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-47691	MEDIUM4.08	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-41004	LOW3.74	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42579	LOW3.71	io.netty:netty-codec-dns 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-42584	LOW3.71	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-24880	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.52, 11.0.20	0.5% Theoretical Threat	Directly Exposed
CVE-2026-25854	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.53, 11.0.20	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-43514	LOW3.15	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 7.0.2 fixed in 6.5.10, 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	LOW3.01	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33557	LOW2.63	org.apache.kafka:kafka-clients 4.1.1 fixed in 4.1.2	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.6% Theoretical Threat	Post-Exploit
CVE-2025-59250	LOW2.48	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Post-Exploit
CVE-2025-66566	LOW2.29	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-22735	LOW2.21	org.springframework:spring-webflux 7.0.3 fixed in 7.0.6, 6.2.17	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22735	LOW2.21	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.6, 6.2.17	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW1.89	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31790	LOW1.81	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33810	NONE0	stdlib v1.26.1 fixed in 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-33810	NONE0	stdlib 1.26.1 fixed in 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32280	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-32281	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32283	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-32280	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-32281	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32283	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-32282	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32282	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32289	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32289	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32288	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32288	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.20.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-44892	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.8% Theoretical Threat	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Not Applicable
CVE-2026-22739	NONE0	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.2, 5.0.2	1.2% Low-Moderate Risk	Not Applicable
CVE-2026-41731	NONE0	org.springframework.kafka:spring-kafka 4.0.2 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Not Applicable
GHSA-2m67-wjpj-xhg9	NONE0	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.1	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.0	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable