Vulnerability Reporthyness/spring-cloud-config-server:jdk19

Name: hyness/spring-cloud-config-server:jdk19 Security Vulnerability Report
Creator: BaseImage
Keywords: hyness/spring-cloud-config-server:jdk19, Docker security, vulnerability scan, CVE, container security, SBOM

hyness/spring-cloud-config-server:jdk19

DIGESTsha256:7dc32a746c9dfd2cca1001287581b1889d22d967866f9c6a42c7afac1d8a5f32

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via CVE-2022-1471, or perform request smuggling to bypass security controls and access unauthorized resources via CVE-2023-46589. The container, being a Spring Cloud Config Server, is highly likely to process YAML configuration, making the SnakeYaml RCE vulnerability (CVE-2022-1471) particularly concerning. While some other high-severity issues identified, such as CVE-2025-24813, may require specific non-default Tomcat configurations to be exploitable, the presence of these immediate and highly impactful vulnerabilities necessitates avoiding this image.

Threat Score

100/100

DANGEROUS

Presence of a critical remote code execution (RCE) vulnerability, CVE-2022-1471, in SnakeYaml (installed version 1.33) with a maximum severity of 10.0, which is highly relevant for a Spring Cloud Config Server processing YAML content from potentially untrusted sources.
Multiple critical vulnerabilities in embedded Tomcat components, including CVE-2023-46589 for HTTP request smuggling and CVE-2023-44487 for a DDoS 'Rapid Reset Attack,' both with high exploitation likelihood and severity 9.75.
The image contains a total of 140 exposed vulnerabilities, with 13 having a severity of 7.0 or higher.
Despite coming from a popular community publisher, the significant number of severe and highly exploitable vulnerabilities makes this image unsuitable for production use.

Reputation

RELIABLE

hyness

POPULAR COMMUNITY

High Reputation Community Image (18M+ pulls)
Pinned by digest (Immutable)

BaseImage/

hyness/spring-cloud-config-server:jdk19

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

229 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-1471	CRITICAL10	org.yaml:snakeyaml 1.33 fixed in 2.0	93.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2023-46589	CRITICAL9.75	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M11, 10.1.16, 9.0.83, 8.5.96	57.9% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2023-44487	CRITICAL9.75	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94	94.4% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2023-34040	HIGH8.97	org.springframework.kafka:spring-kafka 3.0.5 fixed in 2.9.11, 3.0.10	21.4% High Exploitation Risk	Directly Exposed
CVE-2025-24813	HIGH8	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.3, 10.1.35, 9.0.99	94.1% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-34034	HIGH8	org.springframework.security:spring-security-config 6.0.2 fixed in 5.6.12, 5.7.10, 5.8.5, 6.0.5, 6.1.2	47.9% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-42581	HIGH7.84	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-42585	HIGH7.5	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly Exposed
CVE-2026-42578	HIGH7.5	io.netty:netty-handler-proxy 4.1.90.Final fixed in 4.1.133.Final, 4.2.13.Final	—	Directly Exposed
CVE-2023-4759	HIGH7.48	org.eclipse.jgit:org.eclipse.jgit 6.4.0.202211300538-r fixed in 6.6.1.202309021850-r, 5.13.3.202401111512-r	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42579	HIGH7.28	io.netty:netty-codec-dns 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	HIGH7.28	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2023-41080	HIGH7.01	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11	11.6% High Exploitation Risk	Directly Exposed
CVE-2023-45648	MEDIUM6.89	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94	59.5% Actively Exploited	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 11.2.3 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 11.2.3.jre17 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-2650	MEDIUM6.76	libssl1.1 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.23	92.1% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-2650	MEDIUM6.76	openssl 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.23	92.1% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-20873	MEDIUM6.66	org.springframework.boot:spring-boot-actuator-autoconfigure 3.0.5 fixed in 3.0.6, 2.7.11, 2.6.15, 2.5.15	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42580	MEDIUM6.5	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 6.0.7 fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.2% Low-Moderate Risk	Directly Exposed
CVE-2023-0464	MEDIUM6.38	libssl1.1 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.5% Theoretical Threat	Directly Exposed
CVE-2023-6378	MEDIUM6.38	ch.qos.logback:logback-classic 1.4.6 fixed in 1.3.12, 1.4.12, 1.2.13	0.6% Theoretical Threat	Directly Exposed
CVE-2023-6378	MEDIUM6.38	ch.qos.logback:logback-core 1.4.6 fixed in 1.3.12, 1.4.12, 1.2.13	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.90.Final fixed in 4.1.125.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.90.Final fixed in 4.1.132.Final, 4.2.10.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.90.Final fixed in 4.1.125.Final, 4.2.5.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.90.Final fixed in 4.2.4.Final, 4.1.124.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.90.Final fixed in 4.1.132.Final, 4.2.11.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-34054	MEDIUM6.38	io.projectreactor.netty:reactor-netty-core 1.1.5 fixed in 1.1.13, 1.0.39	0.2% Theoretical Threat	Directly Exposed
CVE-2023-28709	MEDIUM6.38	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M5, 10.1.8, 9.0.74	0.4% Theoretical Threat	Directly Exposed
CVE-2026-24734	MEDIUM6.38	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.18, 10.1.52, 9.0.115	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk15on 1.69 fixed in 1.84	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.5.4 fixed in 42.7.11	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-20883	MEDIUM6.38	org.springframework.boot:spring-boot-autoconfigure 3.0.5 fixed in 3.0.7, 2.7.12, 2.6.15, 2.5.15	0.7% Theoretical Threat	Directly Exposed
CVE-2023-34053	MEDIUM6.38	org.springframework:spring-webmvc 6.0.7 fixed in 6.0.14	0.6% Theoretical Threat	Directly Exposed
CVE-2023-34455	MEDIUM6.38	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	0.6% Theoretical Threat	Directly Exposed
CVE-2023-43642	MEDIUM6.38	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	0.2% Theoretical Threat	Directly Exposed
CVE-2023-34454	MEDIUM6.38	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-46120	MEDIUM6	com.rabbitmq:amqp-client 5.16.0 fixed in 5.18.0	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-34062	MEDIUM6	io.projectreactor.netty:reactor-netty-http 1.1.5 fixed in 1.1.13, 1.0.39	1.9% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-34453	MEDIUM6	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.3.2 fixed in 3.9.2, 4.0.2, 4.1.2	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.90.Final fixed in 4.1.133.Final, 4.2.13.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-34462	MEDIUM5.52	io.netty:netty-handler 4.1.90.Final fixed in 4.1.94.Final	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.117, 10.1.54, 11.0.21	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-34055	MEDIUM5.52	org.springframework.boot:spring-boot-actuator 3.0.5 fixed in 2.7.18, 3.0.13, 3.1.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 6.0.2 fixed in 6.5.9, 7.0.4	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webflux 6.0.7 fixed in 7.0.6, 6.2.17	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22737	MEDIUM5.52	org.springframework:spring-webmvc 6.0.7 fixed in 7.0.6, 6.2.17	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-20862	MEDIUM5.35	org.springframework.security:spring-security-core 6.0.2 fixed in 5.7.8, 5.8.3, 6.0.3	0.5% Theoretical Threat	Directly Exposed
CVE-2023-34035	MEDIUM5.3	org.springframework.security:spring-security-config 6.0.2 fixed in 5.8.5, 6.0.5, 6.1.2	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-38820	MEDIUM5.3	org.springframework:spring-context 6.0.7 fixed in 6.1.14	1.5% Low-Moderate Risk	Directly Exposed
CVE-2024-38820	MEDIUM5.3	org.springframework:spring-web 6.0.7 fixed in 6.1.14	1.5% Low-Moderate Risk	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.9.2 fixed in 2.12.0	0.5% Theoretical Threat	Directly Exposed
CVE-2024-1597	MEDIUM5	org.postgresql:postgresql 42.5.4 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.90.Final fixed in 4.1.118.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-33202	MEDIUM4.67	org.bouncycastle:bcprov-jdk15on 1.69 fixed in 1.70	0.2% Theoretical Threat	Directly Exposed
CVE-2023-20859	MEDIUM4.67	org.springframework.vault:spring-vault-core 3.0.0 fixed in 3.0.2, 2.3.3	0.1% Theoretical Threat	Directly Exposed
CVE-2025-66614	MEDIUM4.64	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.15, 10.1.50, 9.0.113	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.116, 10.1.54, 11.0.21	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-0465	MEDIUM4.5	libssl1.1 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.5% Theoretical Threat	Directly Exposed
CVE-2023-0466	MEDIUM4.5	libssl1.1 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.8% Theoretical Threat	Directly Exposed
CVE-2023-42795	MEDIUM4.5	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94	0.7% Theoretical Threat	Directly Exposed
CVE-2023-33201	MEDIUM4.5	org.bouncycastle:bcprov-jdk15on 1.69 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2025-4949	MEDIUM4.5	org.eclipse.jgit:org.eclipse.jgit 6.4.0.202211300538-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	0.2% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.4.6 fixed in 1.5.25	<0.1% Theoretical Threat	Directly Exposed
CVE-2023-0464	LOW3.83	openssl 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.5% Theoretical Threat	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.9.2 fixed in 2.9.3	0.1% Theoretical Threat	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-sftp 2.9.2 fixed in 2.9.3	0.1% Theoretical Threat	Directly Exposed
CVE-2026-24880	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.116, 10.1.52, 11.0.20	0.2% Theoretical Threat	Directly Exposed
CVE-2026-25854	LOW3.65	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.116, 10.1.53, 11.0.20	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-24733	LOW3.15	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.15, 10.1.50, 9.0.113	0.2% Theoretical Threat	Directly Exposed
CVE-2023-0465	LOW2.7	openssl 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.5% Theoretical Threat	Post-Exploit
CVE-2023-0466	LOW2.7	openssl 1.1.1-1ubuntu2.1~18.04.21 fixed in 1.1.1-1ubuntu2.1~18.04.22	0.8% Theoretical Threat	Post-Exploit
CVE-2026-22735	LOW2.21	org.springframework:spring-webflux 6.0.7 fixed in 7.0.6, 6.2.17	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22735	LOW2.21	org.springframework:spring-webmvc 6.0.7 fixed in 7.0.6, 6.2.17	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-68121	NONE0	stdlib v1.18.8 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	<0.1% Theoretical Threat	Not Applicable
CVE-2023-24538	NONE0	stdlib v1.18.8 fixed in 1.19.8, 1.20.3	0.8% Theoretical Threat	Not Applicable
CVE-2023-24540	NONE0	stdlib v1.18.8 fixed in 1.19.9, 1.20.4	0.2% Theoretical Threat	Not Applicable
CVE-2024-24790	NONE0	stdlib v1.18.8 fixed in 1.21.11, 1.22.4	0.2% Theoretical Threat	Not Applicable
CVE-2023-29403	NONE0	stdlib v1.18.8 fixed in 1.19.10, 1.20.5	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41720	NONE0	stdlib v1.18.8 fixed in 1.18.9, 1.19.4	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41722	NONE0	stdlib v1.18.8 fixed in 1.19.6, 1.20.1	0.3% Theoretical Threat	Not Applicable
CVE-2022-41723	NONE0	stdlib v1.18.8 fixed in 1.19.6, 1.20.1	0.2% Theoretical Threat	Not Applicable
CVE-2022-41724	NONE0	stdlib v1.18.8 fixed in 1.19.6, 1.20.1	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41725	NONE0	stdlib v1.18.8 fixed in 1.19.6, 1.20.1	<0.1% Theoretical Threat	Not Applicable
CVE-2023-24534	NONE0	stdlib v1.18.8 fixed in 1.19.8, 1.20.3	0.1% Theoretical Threat	Not Applicable
CVE-2023-24536	NONE0	stdlib v1.18.8 fixed in 1.19.8, 1.20.3	<0.1% Theoretical Threat	Not Applicable
CVE-2023-24537	NONE0	stdlib v1.18.8 fixed in 1.19.8, 1.20.3	<0.1% Theoretical Threat	Not Applicable
CVE-2023-39325	NONE0	stdlib v1.18.8 fixed in 1.20.10, 1.21.3	0.1% Theoretical Threat	Not Applicable
CVE-2023-45283	NONE0	stdlib v1.18.8 fixed in 1.20.11, 1.21.4, 1.20.12, 1.21.5	0.3% Theoretical Threat	Not Applicable
CVE-2023-45287	NONE0	stdlib v1.18.8 fixed in 1.20.0	0.2% Theoretical Threat	Not Applicable
CVE-2025-61726	NONE0	stdlib v1.18.8 fixed in 1.24.12, 1.25.6	<0.1% Theoretical Threat	Not Applicable
CVE-2026-25679	NONE0	stdlib v1.18.8 fixed in 1.25.8, 1.26.1	<0.1% Theoretical Threat	Not Applicable
CVE-2026-32280	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2026-32281	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2026-32283	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61728	NONE0	stdlib v1.18.8 fixed in 1.24.12, 1.25.6	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41723	NONE0	golang.org/x/net v0.2.0 fixed in 0.7.0	0.2% Theoretical Threat	Not Applicable
CVE-2023-39325	NONE0	golang.org/x/net v0.2.0 fixed in 0.17.0	0.1% Theoretical Threat	Not Applicable
CVE-2023-44487	NONE0	golang.org/x/net v0.2.0 fixed in 0.17.0	94.4% Actively Exploited	Not Applicable
CVE-2023-24539	NONE0	stdlib v1.18.8 fixed in 1.19.9, 1.20.4	<0.1% Theoretical Threat	Not Applicable
CVE-2023-29400	NONE0	stdlib v1.18.8 fixed in 1.19.9, 1.20.4	<0.1% Theoretical Threat	Not Applicable
CVE-2023-29406	NONE0	stdlib v1.18.8 fixed in 1.19.11, 1.20.6	0.3% Theoretical Threat	Not Applicable
CVE-2026-32282	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2023-39318	NONE0	stdlib v1.18.8 fixed in 1.20.8, 1.21.1	<0.1% Theoretical Threat	Not Applicable
CVE-2023-39319	NONE0	stdlib v1.18.8 fixed in 1.20.8, 1.21.1	<0.1% Theoretical Threat	Not Applicable
CVE-2026-32289	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2023-3978	NONE0	golang.org/x/net v0.2.0 fixed in 0.13.0	<0.1% Theoretical Threat	Not Applicable
CVE-2024-24789	NONE0	stdlib v1.18.8 fixed in 1.21.11, 1.22.4	<0.1% Theoretical Threat	Not Applicable
CVE-2026-32288	NONE0	stdlib v1.18.8 fixed in 1.25.9, 1.26.2	<0.1% Theoretical Threat	Not Applicable
CVE-2026-27142	NONE0	stdlib v1.18.8 fixed in 1.25.8, 1.26.1	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41717	NONE0	stdlib v1.18.8 fixed in 1.18.9, 1.19.4	0.3% Theoretical Threat	Not Applicable
CVE-2023-24532	NONE0	stdlib v1.18.8 fixed in 1.19.7, 1.20.2	<0.1% Theoretical Threat	Not Applicable
CVE-2023-29409	NONE0	stdlib v1.18.8 fixed in 1.19.12, 1.20.7, 1.21.0-rc.4	0.1% Theoretical Threat	Not Applicable
CVE-2023-39326	NONE0	stdlib v1.18.8 fixed in 1.20.12, 1.21.5	0.1% Theoretical Threat	Not Applicable
CVE-2023-45284	NONE0	stdlib v1.18.8 fixed in 1.20.11, 1.21.4	<0.1% Theoretical Threat	Not Applicable
CVE-2025-22873	NONE0	stdlib v1.18.8 fixed in 1.23.9, 1.24.3	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61730	NONE0	stdlib v1.18.8 fixed in 1.24.12, 1.25.6	<0.1% Theoretical Threat	Not Applicable
CVE-2022-41717	NONE0	golang.org/x/net v0.2.0 fixed in 0.4.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-27139	NONE0	stdlib v1.18.8 fixed in 1.25.8, 1.26.1	<0.1% Theoretical Threat	Not Applicable
CVE-2024-12798	NONE0	ch.qos.logback:logback-core 1.4.6 fixed in 1.5.13, 1.3.15	0.2% Theoretical Threat	Not Applicable
CVE-2025-11226	NONE0	ch.qos.logback:logback-core 1.4.6 fixed in 1.5.19, 1.3.16	<0.1% Theoretical Threat	Not Applicable
CVE-2024-12801	NONE0	ch.qos.logback:logback-core 1.4.6 fixed in 1.5.13, 1.3.15	<0.1% Theoretical Threat	Not Applicable
CVE-2025-52999	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.2 fixed in 2.15.0	0.3% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2025-52999	NONE0	com.fasterxml.jackson.core:jackson-core 2.14.2 fixed in 2.15.0	0.3% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.14.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.90.Final fixed in 4.1.133.Final	—	Not Applicable
CVE-2026-42587	NONE0	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Not Applicable
CVE-2024-29025	NONE0	io.netty:netty-codec-http 4.1.90.Final fixed in 4.1.108.Final	0.3% Theoretical Threat	Not Applicable
CVE-2025-67735	NONE0	io.netty:netty-codec-http 4.1.90.Final fixed in 4.2.8.Final, 4.1.129.Final	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42587	NONE0	io.netty:netty-codec-http2 4.1.90.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.90.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2024-47535	NONE0	io.netty:netty-common 4.1.90.Final fixed in 4.1.115.Final	0.5% Theoretical Threat	Not Applicable
CVE-2025-22227	NONE0	io.projectreactor.netty:reactor-netty-http 1.1.5 fixed in 1.3.0-M5, 1.2.8	0.1% Theoretical Threat	Not Applicable
CVE-2020-36843	NONE0	net.i2p.crypto:eddsa 0.3.0 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2024-31141	NONE0	org.apache.kafka:kafka-clients 3.3.2 fixed in 3.7.1	0.2% Theoretical Threat	Not Applicable
CVE-2025-27817	NONE0	org.apache.kafka:kafka-clients 3.3.2 fixed in 3.9.1	19.1% High Exploitation Risk	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.3.2 fixed in 3.9.2, 4.0.1	0.1% Theoretical Threat	Not Applicable
CVE-2026-41293	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2026-43512	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2024-34750	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.0-M21, 10.1.25, 9.0.90	21.5% High Exploitation Risk	Not Applicable
CVE-2024-50379	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.2, 10.1.34, 9.0.98	85.0% Actively Exploited	Not Applicable
CVE-2024-56337	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.2, 10.1.34, 9.0.98	12.9% High Exploitation Risk	Not Applicable
CVE-2025-48988	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.8, 10.1.42, 9.0.106	0.8% Theoretical Threat	Not Applicable
CVE-2025-48989	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.10, 10.1.44, 9.0.108	1.0% Theoretical Threat	Not Applicable
CVE-2025-52520	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.9, 10.1.43, 9.0.107	0.7% Theoretical Threat	Not Applicable
CVE-2025-53506	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.107, 10.1.43, 11.0.9	1.2% Low-Moderate Risk	Not Applicable
CVE-2025-55752	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.11, 10.1.45, 9.0.109	0.1% Theoretical Threat	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42498	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2024-24549	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 8.5.99, 9.0.86, 10.1.19, 11.0.0-M17	64.4% Actively Exploited	Not Applicable
CVE-2025-49124	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.8, 10.1.42, 9.0.106	0.2% Theoretical Threat	Not Applicable
CVE-2025-49125	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.8, 10.1.42, 9.0.106	0.3% Theoretical Threat	Not Applicable
CVE-2025-46701	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.105, 10.1.41, 11.0.7	0.1% Theoretical Threat	Not Applicable
CVE-2025-55754	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.11, 10.1.45, 9.0.109	0.1% Theoretical Threat	Not Applicable
CVE-2025-61795	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 11.0.12, 10.1.47, 9.0.110	0.1% Theoretical Threat	Not Applicable
CVE-2026-43514	NONE0	org.apache.tomcat.embed:tomcat-embed-core 10.1.7 fixed in 9.0.118, 10.1.55, 11.0.22	<0.1% Theoretical Threat	Not Applicable
CVE-2024-23672	NONE0	org.apache.tomcat.embed:tomcat-embed-websocket 10.1.7 fixed in 11.0.0-M17, 10.1.19, 9.0.86, 8.5.99	1.4% Low-Moderate Risk	Not Applicable
CVE-2025-8916	NONE0	org.bouncycastle:bcpkix-jdk15on 1.69 fixed in 1.79	<0.1% Theoretical Threat	Not Applicable
CVE-2024-29857	NONE0	org.bouncycastle:bcprov-jdk15on 1.69 fixed in 1.78	0.2% Theoretical Threat	Not Applicable
CVE-2024-30171	NONE0	org.bouncycastle:bcprov-jdk15on 1.69 fixed in 1.78	0.1% Theoretical Threat	Not Applicable
CVE-2024-34447	NONE0	org.bouncycastle:bcprov-jdk15on 1.69 fixed in 1.78	0.1% Theoretical Threat	Not Applicable
CVE-2025-12183	NONE0	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.1% Theoretical Threat	Not Applicable
CVE-2025-66566	NONE0	org.lz4:lz4-java 1.8.0 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-22739	NONE0	org.springframework.cloud:spring-cloud-config-server 4.0.2 fixed in 4.3.2, 5.0.2	12.1% High Exploitation Risk	Not Applicable
CVE-2024-22271	NONE0	org.springframework.cloud:spring-cloud-function-context 4.0.2 fixed in 4.0.8, 4.1.2	0.3% Theoretical Threat	Not Applicable
CVE-2024-22257	NONE0	org.springframework.security:spring-security-core 6.0.2 fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.3% Theoretical Threat	Not Applicable
CVE-2024-38827	NONE0	org.springframework.security:spring-security-core 6.0.2 fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Not Applicable
CVE-2025-22228	NONE0	org.springframework.security:spring-security-crypto 6.0.2 fixed in 6.3.8, 6.4.4, 6.2.10, 6.1.14, 6.0.16, 5.8.18, 5.7.16	<0.1% Theoretical Threat	Not Applicable
CVE-2024-38821	NONE0	org.springframework.security:spring-security-web 6.0.2 fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	13.1% High Exploitation Risk	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 6.0.7 fixed in 6.2.7, 6.1.20	<0.1% Theoretical Threat	Not Applicable
CVE-2025-41249	NONE0	org.springframework:spring-core 6.0.7 fixed in 6.2.11	<0.1% Theoretical Threat	Not Applicable
CVE-2024-22243	NONE0	org.springframework:spring-web 6.0.7 fixed in 6.1.4, 6.0.17, 5.3.32	59.6% Actively Exploited	Not Applicable
CVE-2024-22259	NONE0	org.springframework:spring-web 6.0.7 fixed in 6.1.5, 6.0.18, 5.3.33	56.4% Actively Exploited	Not Applicable
CVE-2024-22262	NONE0	org.springframework:spring-web 6.0.7 fixed in 5.3.34, 6.0.19, 6.1.6	12.6% High Exploitation Risk	Not Applicable
CVE-2024-38809	NONE0	org.springframework:spring-web 6.0.7 fixed in 5.3.38, 6.0.23, 6.1.12	0.1% Theoretical Threat	Not Applicable
CVE-2025-41234	NONE0	org.springframework:spring-web 6.0.7 fixed in 6.2.8, 6.1.21	0.3% Theoretical Threat	Not Applicable
CVE-2024-38816	NONE0	org.springframework:spring-webflux 6.0.7 fixed in 6.1.13	93.9% Actively Exploited	Not Applicable
CVE-2024-38819	NONE0	org.springframework:spring-webflux 6.0.7 fixed in 6.1.14	92.5% Actively Exploited	Not Applicable
CVE-2024-38816	NONE0	org.springframework:spring-webmvc 6.0.7 fixed in 6.1.13	93.9% Actively Exploited	Not Applicable
CVE-2024-38819	NONE0	org.springframework:spring-webmvc 6.0.7 fixed in 6.1.14	92.5% Actively Exploited	Not Applicable
CVE-2025-41242	NONE0	org.springframework:spring-webmvc 6.0.7 fixed in 6.2.10	6.6% Low-Moderate Risk	Not Applicable
CVE-2025-22871	NONE0	stdlib v1.18.8 fixed in 1.23.8, 1.24.2	0.3% Theoretical Threat	Not Applicable
CVE-2025-47906	NONE0	stdlib v1.18.8 fixed in 1.23.12, 1.24.6	<0.1% Theoretical Threat	Not Applicable
CVE-2025-47907	NONE0	stdlib v1.18.8 fixed in 1.23.12, 1.24.6	<0.1% Theoretical Threat	Not Applicable
CVE-2025-47912	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58183	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58185	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58186	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58187	NONE0	stdlib v1.18.8 fixed in 1.24.9, 1.25.3	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58188	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-58189	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61723	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61724	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61725	NONE0	stdlib v1.18.8 fixed in 1.24.8, 1.25.2	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61727	NONE0	stdlib v1.18.8 fixed in 1.24.11, 1.25.5	<0.1% Theoretical Threat	Not Applicable
CVE-2025-61729	NONE0	stdlib v1.18.8 fixed in 1.24.11, 1.25.5	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2023-45288	NONE0	stdlib v1.18.8 fixed in 1.21.9, 1.22.2	69.9% Actively Exploited	Not Applicable
CVE-2023-45289	NONE0	stdlib v1.18.8 fixed in 1.21.8, 1.22.1	0.6% Theoretical Threat	Not Applicable
CVE-2023-45290	NONE0	stdlib v1.18.8 fixed in 1.21.8, 1.22.1	0.4% Theoretical Threat	Not Applicable
CVE-2024-24783	NONE0	stdlib v1.18.8 fixed in 1.21.8, 1.22.1	0.6% Theoretical Threat	Not Applicable
CVE-2024-24784	NONE0	stdlib v1.18.8 fixed in 1.21.8, 1.22.1	2.0% Low-Moderate Risk	Not Applicable
CVE-2024-24785	NONE0	stdlib v1.18.8 fixed in 1.21.8, 1.22.1	0.9% Theoretical Threat	Not Applicable
CVE-2024-24791	NONE0	stdlib v1.18.8 fixed in 1.21.12, 1.22.5	1.0% Low-Moderate Risk	Not Applicable
CVE-2024-34155	NONE0	stdlib v1.18.8 fixed in 1.22.7, 1.23.1	<0.1% Theoretical Threat	Not Applicable
CVE-2024-34156	NONE0	stdlib v1.18.8 fixed in 1.22.7, 1.23.1	0.3% Theoretical Threat	Not Applicable
CVE-2024-34158	NONE0	stdlib v1.18.8 fixed in 1.22.7, 1.23.1	0.2% Theoretical Threat	Not Applicable
CVE-2024-45336	NONE0	stdlib v1.18.8 fixed in 1.22.11, 1.23.5, 1.24.0-rc.2	0.1% Theoretical Threat	Not Applicable
CVE-2024-45341	NONE0	stdlib v1.18.8 fixed in 1.22.11, 1.23.5, 1.24.0-rc.2	0.1% Theoretical Threat	Not Applicable
CVE-2025-0913	NONE0	stdlib v1.18.8 fixed in 1.23.10, 1.24.4	<0.1% Theoretical Threat	Not Applicable
CVE-2025-22866	NONE0	stdlib v1.18.8 fixed in 1.22.12, 1.23.6, 1.24.0-rc.3	<0.1% Theoretical Threat	Not Applicable
CVE-2025-22870	NONE0	stdlib v1.18.8 fixed in 1.23.7, 1.24.1	<0.1% Theoretical Threat	Not Applicable
CVE-2025-4673	NONE0	stdlib v1.18.8 fixed in 1.23.10, 1.24.4	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.18.8 fixed in 1.25.10, 1.26.3	<0.1% Theoretical Threat	Not Applicable
CVE-2023-45288	NONE0	golang.org/x/net v0.2.0 fixed in 0.23.0	69.9% Actively Exploited	Not Applicable
CVE-2025-22870	NONE0	golang.org/x/net v0.2.0 fixed in 0.36.0	<0.1% Theoretical Threat	Not Applicable
CVE-2025-22872	NONE0	golang.org/x/net v0.2.0 fixed in 0.38.0	0.1% Theoretical Threat	Not Applicable