Vulnerability Reporthyness/spring-cloud-config-server:5.0.1

hyness/spring-cloud-config-server:5.0.1-77dad0b-jre17hyness/spring-cloud-config-server:5.0.1

DIGESTsha256:7ed3fd20023a486ab1a12ae29fdb56155bce023ac89f0d50642c0eab4f593e85

Executive Summary

Threat ScoreDANGEROUS• Critical CVE-2026-42581 (CVSS 8.33) enables HTTP request smuggling, allowing unauthorized access to protected endpoints.• 85 exposed vulnerabilities discovered, 23 with severity ≥6.0, including CVE-2026-40982 (directory traversal) and multiple Netty request smuggling issues (CVE-2026-42585).• Image is popular (18M+ pulls) and pinned by digest but not officially verified; high-risk findings directly affect the config server's network attack surface.• Post-exploit findings are low severity (max 4.08) and require attacker-controlled DNS, posing minimal practical risk.

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (18M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling (CVE-2026-42581) to bypass security controls and gain unauthorized access, or leverage directory traversal (CVE-2026-40982) to leak sensitive configuration data. While the image is from a reputable community publisher, the presence of 85 exposed vulnerabilities—including 23 with severity ≥6.0—and the absence of official verification render it unsuitable for production. Upgrading to patched versions of Netty and Spring Cloud Config is required.

Vulnerabilities

Vulnerability Log

147 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-40982	MEDIUM6.97	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.8% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45447	MEDIUM6.48	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-28389	MEDIUM6.38	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Directly Exposed
CVE-2026-44894	MEDIUM6.38	io.netty:netty-codec-classes-quic 4.2.9.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.9 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2026-40981	MEDIUM6.38	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-29062	MEDIUM6.38	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM6.21	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-41293	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-32990	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.53, 11.0.20	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40976	MEDIUM6.18	org.springframework.boot:spring-boot 4.0.2 fixed in 4.0.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 4.0.2 fixed in 4.0.6, 3.5.14	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 4.1.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-43512	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.117, 10.1.54, 11.0.21	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42498	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2026-41726	MEDIUM5.52	org.springframework.kafka:spring-kafka 4.0.2 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22753	MEDIUM5.52	org.springframework.security:spring-security-config 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 7.0.2 fixed in 6.5.9, 7.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webflux 7.0.3 fixed in 7.0.6, 6.2.17	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22740	MEDIUM5.52	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.6, 6.2.17	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41002	MEDIUM5.5	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22747	MEDIUM5.5	org.springframework.security:spring-security-web 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-24734	MEDIUM5.1	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 11.0.18, 10.1.52, 9.0.115	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22754	MEDIUM5.1	org.springframework.security:spring-security-config 7.0.2 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.54, 11.0.21	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webflux 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45674	MEDIUM4.08	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-47691	MEDIUM4.08	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-41004	LOW3.74	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.3, 5.0.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42579	LOW3.71	io.netty:netty-codec-dns 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-42584	LOW3.71	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-24880	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.52, 11.0.20	0.5% Theoretical Threat	Directly Exposed
CVE-2026-25854	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.116, 10.1.53, 11.0.20	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-43514	LOW3.15	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 7.0.2 fixed in 6.5.10, 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	LOW3.01	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33557	LOW2.63	org.apache.kafka:kafka-clients 4.1.1 fixed in 4.1.2	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.6% Theoretical Threat	Post-Exploit
CVE-2025-59250	LOW2.48	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libssl3t64 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	0.8% Theoretical Threat	Post-Exploit
CVE-2025-66566	LOW2.29	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-22735	LOW2.21	org.springframework:spring-webflux 7.0.3 fixed in 7.0.6, 6.2.17	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22735	LOW2.21	org.springframework:spring-webmvc 7.0.3 fixed in 7.0.6, 6.2.17	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW1.89	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31790	LOW1.81	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.9	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl 3.0.13-0ubuntu3.7 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33810	NONE0	stdlib v1.26.1 fixed in 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-33810	NONE0	stdlib 1.26.1 fixed in 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32280	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-32281	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32283	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-32280	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-32281	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32283	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-32282	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32282	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32289	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32289	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32288	NONE0	stdlib v1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-32288	NONE0	stdlib 1.26.1 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.20.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-44892	NONE0	io.netty:netty-codec-http3 4.2.9.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.8% Theoretical Threat	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.15 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Not Applicable
CVE-2026-22739	NONE0	org.springframework.cloud:spring-cloud-config-server 5.0.1 fixed in 4.3.2, 5.0.2	1.2% Low-Moderate Risk	Not Applicable
CVE-2026-41731	NONE0	org.springframework.kafka:spring-kafka 4.0.2 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Not Applicable
GHSA-2m67-wjpj-xhg9	NONE0	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.1	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	tools.jackson.core:jackson-core 3.0.4 fixed in 3.1.0	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib 1.26.1 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib 1.26.1 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable