Last scanned:
This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via vulnerabilities in expr-eval (CVE-2025-12735) or Handlebars (CVE-2026-33937), or bypass proxy rules to access internal services via an SSRF flaw in axios (CVE-2025-62718). While some exploits require non-default configurations (e.g., attacker-controlled AST input for Handlebars), the majority of the top findings are exploitable under typical usage. The official Docker status does not compensate for the severe vulnerability load, and deployment should be blocked until all critical CVEs are addressed.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-62718 | HIGH7.92 | axios 1.8.3 fixed in 1.15.0, 0.31.0 | 1.2% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2025-12735 | HIGH7.84 | expr-eval 2.0.2 No fix yet | 2.3% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33937 | HIGH7.84 | handlebars 4.7.8 fixed in 4.7.9 | 1.8% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.21 fixed in 4.18.0 | 1.7% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-44293 | HIGH7.48 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-12816 | HIGH7.39 | node-forge 1.3.1 fixed in 1.3.2 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-44490 | MEDIUM6.97 | axios 1.8.3 fixed in 1.16.0, 0.32.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33941 | MEDIUM6.97 | handlebars 4.7.8 fixed in 4.7.9 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-44705 | MEDIUM6.97 | tmp 0.0.33 fixed in 0.2.6 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-44494 | MEDIUM6.96 | axios 1.8.3 fixed in 1.16.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33938 | MEDIUM6.88 | handlebars 4.7.8 fixed in 4.7.9 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-33940 | MEDIUM6.88 | handlebars 4.7.8 fixed in 4.7.9 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-44291 | MEDIUM6.88 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-42043 | MEDIUM6.8 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.7% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-1525 | MEDIUM6.66 | undici 6.19.2 fixed in 6.24.0, 7.24.0 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-35213 | MEDIUM6.38 | @hapi/content 6.0.0 fixed in 6.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-44902 | MEDIUM6.38 | @opentelemetry/exporter-prometheus 0.31.0 fixed in 0.217.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-69873 | MEDIUM6.38 | ajv 8.17.1 fixed in 8.18.0, 6.14.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-44486 | MEDIUM6.38 | axios 1.8.3 fixed in 1.16.0, 0.32.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-44487 | MEDIUM6.38 | axios 1.8.3 fixed in 1.16.0, 0.32.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-44488 | MEDIUM6.38 | axios 1.8.3 fixed in 1.16.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-44496 | MEDIUM6.38 | axios 1.8.3 fixed in 1.16.0, 0.32.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42038 | MEDIUM6.38 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42039 | MEDIUM6.38 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 2.0.1 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-6321 | MEDIUM6.38 | fast-uri 3.0.3 fixed in 3.1.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-6322 | MEDIUM6.38 | fast-uri 3.0.3 fixed in 3.1.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-26278 | MEDIUM6.38 | fast-xml-parser 4.4.1 fixed in 4.5.4, 5.3.6 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-33036 | MEDIUM6.38 | fast-xml-parser 4.4.1 fixed in 5.5.6, 4.5.5 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-27942 | MEDIUM6.38 | fast-xml-parser 4.4.1 fixed in 5.3.8, 4.5.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-12143 | MEDIUM6.38 | form-data 4.0.0 fixed in 2.5.6, 3.0.5, 4.0.6 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-33939 | MEDIUM6.38 | handlebars 4.7.8 fixed in 4.7.9 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-46625 | MEDIUM6.38 | js-cookie 2.2.1 fixed in 3.0.7 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-65945 | MEDIUM6.38 | jws 3.2.2 fixed in 3.2.3, 4.0.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-65945 | MEDIUM6.38 | jws 4.0.0 fixed in 3.2.3, 4.0.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-2327 | MEDIUM6.38 | markdown-it 14.1.0 fixed in 14.1.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-26996 | MEDIUM6.38 | minimatch 3.1.2 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-26996 | MEDIUM6.38 | minimatch 5.1.6 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-26996 | MEDIUM6.38 | minimatch 9.0.5 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-66031 | MEDIUM6.38 | node-forge 1.3.1 fixed in 1.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-33891 | MEDIUM6.38 | node-forge 1.3.1 fixed in 1.4.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-33894 | MEDIUM6.38 | node-forge 1.3.1 fixed in 1.4.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33895 | MEDIUM6.38 | node-forge 1.3.1 fixed in 1.4.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-14874 | MEDIUM6.38 | nodemailer 6.9.15 fixed in 7.0.11 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-13033 | MEDIUM6.38 | nodemailer 6.9.15 fixed in 7.0.7 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-44289 | MEDIUM6.38 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-44290 | MEDIUM6.38 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-48712 | MEDIUM6.38 | protobufjs 7.2.5 fixed in 7.6.1, 8.4.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-44292 | MEDIUM6.38 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-45740 | MEDIUM6.38 | protobufjs 7.2.5 fixed in 7.5.8, 8.2.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-59343 | MEDIUM6.38 | tar-fs 3.0.8 fixed in 3.1.1, 2.1.4, 1.16.6 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-12151 | MEDIUM6.38 | undici 6.19.2 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-1528 | MEDIUM6.38 | undici 6.19.2 fixed in 6.24.0, 7.24.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-2229 | MEDIUM6.38 | undici 6.19.2 fixed in 6.24.0, 7.24.0 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2026-22036 | MEDIUM6.38 | undici 6.19.2 fixed in 7.18.2, 6.23.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 10.0.0 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 9.0.1 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-48779 | MEDIUM6.38 | ws 8.18.0 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-45736 | MEDIUM6.38 | ws 8.18.0 fixed in 8.20.1 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-27795 | MEDIUM6.29 | @langchain/community 0.3.29 fixed in 1.1.18 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42033 | MEDIUM6.29 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-42035 | MEDIUM6.29 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-13204 | MEDIUM6.21 | expr-eval 2.0.2 No fix yet | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-48387 | MEDIUM6.21 | tar-fs 3.0.8 fixed in 1.16.5, 2.1.3, 3.0.9 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-42264 | MEDIUM6.18 | axios 1.8.3 fixed in 1.15.2 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42044 | MEDIUM6.18 | axios 1.8.3 fixed in 1.15.2 | 0.6% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33896 | MEDIUM6.18 | node-forge 1.3.1 fixed in 1.4.0 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-25896 | MEDIUM6.03 | fast-xml-parser 4.4.1 fixed in 5.3.5, 4.5.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-25639 | MEDIUM6 | axios 1.8.3 fixed in 1.13.5, 0.30.3 | 2.6% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-1526 | MEDIUM6 | undici 6.19.2 fixed in 6.24.0, 7.24.0 | 1.1% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2025-4802 | MEDIUM5.95 | libc-bin 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-4802 | MEDIUM5.95 | libc6 2.31-0ubuntu9.17 fixed in 2.31-0ubuntu9.18 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-44495 | MEDIUM5.95 | axios 1.8.3 fixed in 1.15.2, 0.31.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-22150 | MEDIUM5.78 | undici 6.19.2 fixed in 5.28.5, 6.21.1, 7.2.3 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-8769 | MEDIUM5.52 | @ai-sdk/provider-utils 2.0.4 No fix yet | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42041 | MEDIUM5.52 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 5.1.6 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 9.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33671 | MEDIUM5.52 | picomatch 2.3.1 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-1527 | MEDIUM5.52 | undici 6.19.2 fixed in 6.24.0, 7.24.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33532 | MEDIUM5.52 | yaml 1.10.2 fixed in 2.8.3, 1.10.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33532 | MEDIUM5.52 | yaml 2.3.4 fixed in 2.8.3, 1.10.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33532 | MEDIUM5.52 | yaml 2.5.1 fixed in 2.8.3, 1.10.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-7783 | MEDIUM5.4 | form-data 4.0.0 fixed in 2.5.4, 3.0.4, 4.0.4 | 1.7% Low-Moderate Risk | Directly Exposed |
| CVE-2025-58754 | MEDIUM5.3 | axios 1.8.3 fixed in 1.12.0, 0.30.2 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2026-48038 | MEDIUM5.3 | joi 17.13.3 fixed in 18.2.1, 17.13.4 | — | Directly Exposed |
| CVE-2025-13465 | MEDIUM5.3 | lodash 4.17.21 fixed in 4.17.23 | 1.5% Low-Moderate Risk | Directly Exposed |
| CVE-2026-42042 | MEDIUM5.18 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42338 | MEDIUM5.18 | ip-address 9.0.5 fixed in 10.1.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libgssapi-krb5-2 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libk5crypto3 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5-3 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-3576 | MEDIUM5.02 | libkrb5support0 1.17-6ubuntu4.9 fixed in 1.17-6ubuntu4.11 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41324 | MEDIUM5.02 | basic-ftp 5.0.3 fixed in 5.3.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33349 | MEDIUM5.02 | fast-xml-parser 4.4.1 fixed in 4.5.5, 5.5.7 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 5.1.6 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 9.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-9679 | MEDIUM5.02 | undici 6.19.2 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-40175 | MEDIUM4.8 | axios 1.8.3 fixed in 1.15.0, 0.31.0 | 1.8% Low-Moderate Risk | Directly Exposed |
| CVE-2025-29088 | MEDIUM4.67 | libsqlite3-0 3.31.1-4ubuntu0.6 fixed in 3.31.1-4ubuntu0.7 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-41650 | MEDIUM4.59 | fast-xml-parser 4.4.1 fixed in 5.7.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2024-53382 | MEDIUM4.59 | prismjs 1.27.0 fixed in 1.30.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-54285 | MEDIUM4.5 | @opentelemetry/core 1.15.0 fixed in 2.8.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54285 | MEDIUM4.5 | @opentelemetry/core 1.24.0 fixed in 2.8.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54285 | MEDIUM4.5 | @opentelemetry/core 1.5.0 fixed in 2.8.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-54285 | MEDIUM4.5 | @opentelemetry/core 1.8.0 fixed in 2.8.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-44288 | MEDIUM4.5 | @protobufjs/utf8 1.1.0 fixed in 1.1.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-48985 | MEDIUM4.5 | ai 4.0.18 fixed in 5.0.52, 5.1.0-beta.9 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42034 | MEDIUM4.5 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42036 | MEDIUM4.5 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-42037 | MEDIUM4.5 | axios 1.8.3 fixed in 1.15.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-2739 | MEDIUM4.5 | bn.js 4.11.9 fixed in 4.12.3, 5.2.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-64718 | MEDIUM4.5 | js-yaml 3.14.1 fixed in 4.1.1, 3.14.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-53550 | MEDIUM4.5 | js-yaml 3.14.1 fixed in 4.2.0, 3.15.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-64718 | MEDIUM4.5 | js-yaml 4.1.0 fixed in 4.1.1, 3.14.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-53550 | MEDIUM4.5 | js-yaml 4.1.0 fixed in 4.2.0, 3.15.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-66030 | MEDIUM4.5 | node-forge 1.3.1 fixed in 1.3.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33672 | MEDIUM4.5 | picomatch 2.3.1 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-44288 | MEDIUM4.5 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-44294 | MEDIUM4.5 | protobufjs 7.2.5 fixed in 7.5.6, 8.0.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-54269 | MEDIUM4.5 | protobufjs 7.2.5 fixed in 7.6.3, 8.6.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-54798 | MEDIUM4.5 | tmp 0.0.33 fixed in 0.2.4 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33916 | MEDIUM4 | handlebars 4.7.8 fixed in 4.7.9 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-26960 | LOW3.62 | tar 7.4.3 fixed in 7.5.8 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-26019 | LOW3.48 | @langchain/community 0.3.29 fixed in 1.1.14 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-3449 | LOW3.4 | @tootallnate/once 2.0.0 fixed in 3.0.1, 2.0.1 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-24842 | LOW3.34 | tar 7.4.3 fixed in 7.5.7 | 0.5% Theoretical Threat | Post-ExploitContext importance: MEDIUM |
| CVE-2026-29786 | LOW3.21 | tar 7.4.3 fixed in 7.5.10 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-42040 | LOW3.15 | axios 1.8.3 fixed in 1.15.1, 0.31.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-11525 | LOW3.15 | undici 6.19.2 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-6733 | LOW3.15 | undici 6.19.2 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-23745 | LOW3.11 | tar 7.4.3 fixed in 7.5.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-27699 | LOW3 | basic-ftp 5.0.3 fixed in 5.2.0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-40190 | LOW3 | langsmith 0.3.7 fixed in 0.5.18 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-41242 | LOW3 | protobufjs 7.2.5 fixed in 8.0.1, 7.5.5 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2026-31802 | LOW2.8 | tar 7.4.3 fixed in 7.5.11 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-53655 | LOW2.8 | tar 7.4.3 fixed in 7.5.16 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2025-68665 | LOW2.78 | @langchain/core 0.3.40 fixed in 1.1.8, 0.3.80 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2025-68665 | LOW2.78 | langchain 0.3.15 fixed in 1.2.3, 0.3.37 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2026-48068 | LOW2.7 | @grpc/grpc-js 1.8.22 fixed in 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4 | — | Post-Exploit |
| CVE-2026-48069 | LOW2.7 | @grpc/grpc-js 1.8.22 fixed in 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4 | — | Post-Exploit |
| CVE-2025-64756 | LOW2.7 | glob 10.4.5 fixed in 11.1.0, 10.5.0 | 3.1% Low-Moderate Risk | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-5889 | LOW2.63 | brace-expansion 2.0.1 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-47279 | LOW2.63 | undici 6.19.2 fixed in 5.29.0, 6.21.2, 7.5.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-23950 | LOW1.81 | tar 7.4.3 fixed in 7.5.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2025-27789 | NONE0 | @babel/runtime 7.25.0 fixed in 7.26.10, 8.0.0-alpha.17 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-44974 | NONE0 | @hapi/content 6.0.0 fixed in 6.0.2 | — | Not Applicable |
| CVE-2026-48049 | NONE0 | @hapi/inert 7.1.0 fixed in 7.1.1 | — | Not Applicable |
| CVE-2026-44979 | NONE0 | @hapi/wreck 18.1.0 fixed in 18.1.1 | — | Not Applicable |
| CVE-2026-48022 | NONE0 | @hapi/wreck 18.1.0 fixed in 18.1.2 | — | Not Applicable |
| GHSA-6475-r3vj-m8vf | NONE0 | @smithy/config-resolver 4.0.1 fixed in 4.4.0 | — | Not Applicable |
| CVE-2026-44240 | NONE0 | basic-ftp 5.0.3 fixed in 5.3.1 | 0.5% Theoretical Threat | Not Applicable |
| GHSA-6v7q-wjvx-w8wg | NONE0 | basic-ftp 5.0.3 fixed in 5.2.2 | — | Not Applicable |
| GHSA-r4q5-vmmm-2653 | NONE0 | follow-redirects 1.15.6 fixed in 1.16.0 | — | Not Applicable |
| GHSA-7rx3-28cr-v5wh | NONE0 | handlebars 4.7.8 fixed in 4.7.9 | — | Not Applicable |
| GHSA-442j-39wm-28r2 | NONE0 | handlebars 4.7.8 fixed in 4.7.9 | — | Not Applicable |
| CVE-2025-9910 | NONE0 | jsondiffpatch 0.6.0 fixed in 0.7.2 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-45134 | NONE0 | langsmith 0.3.7 fixed in 0.6.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-41182 | NONE0 | langsmith 0.3.7 fixed in 0.5.19 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-48801 | NONE0 | linkify-it 5.0.0 fixed in 5.0.1 | — | Not Applicable |
| CVE-2026-48988 | NONE0 | markdown-it 14.1.0 fixed in 14.2.0 | 0.3% Theoretical Threat | Not Applicable |
| GHSA-p6gq-j5cr-w38f | NONE0 | nodemailer 6.9.15 fixed in 9.0.1 | — | Not Applicable |
| GHSA-268h-hp4c-crq3 | NONE0 | nodemailer 6.9.15 fixed in 8.0.9 | — | Not Applicable |
| GHSA-r7g4-qg5f-qqm2 | NONE0 | nodemailer 6.9.15 fixed in 8.0.8 | — | Not Applicable |
| GHSA-vvjj-xcjg-gr5g | NONE0 | nodemailer 6.9.15 fixed in 8.0.5 | — | Not Applicable |
| GHSA-wqvq-jvpq-h66f | NONE0 | nodemailer 6.9.15 fixed in 8.0.9 | — | Not Applicable |
| GHSA-c7w3-x93f-qmm8 | NONE0 | nodemailer 6.9.15 fixed in 8.0.4 | — | Not Applicable |
| CVE-2025-47934 | NONE0 | openpgp 5.10.1 fixed in 5.11.3, 6.1.1 | 0.6% Theoretical Threat | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.