Vulnerability Reportlitellm/litellm-database:main-v1.83.7-stable

Name: litellm/litellm-database:main-v1.83.7-stable Security Vulnerability Report
Creator: BaseImage
Keywords: litellm/litellm-database:main-v1.83.7-stable, Docker security, vulnerability scan, CVE, container security, SBOM

DIGESTsha256:44b7a2ac44889134cd9c52f0fa11a15db8ef45c470e657ab561981195fe31c72

Executive Summary

CAUTION

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit critical vulnerabilities, leading to arbitrary code execution, information disclosure, or denial of service, especially via cryptographic operations on the exposed port 4000. Specifically, CVE-2026-39892 in the 'cryptography' library is highly impactful due to its severity and the nature of the Python application. Furthermore, CVE-2026-28684 could enable arbitrary file overwrites under specific conditions via the 'python-dotenv' library. Given the image's unverified community status and low reputation, thorough review and hardening are essential before considering any production use.

Threat Score

74/100

CAUTION

Critically severe exposed vulnerability, CVE-2026-39892 (severity 8.33), in the 'cryptography' library, which is likely used by the Python application and could lead to arbitrary code execution, information disclosure, or denial of service.
Another high-severity exposed vulnerability, CVE-2026-28684 (severity 7.1), which allows arbitrary file overwrite via symbolic link following in 'python-dotenv'.
A total of 30 exposed vulnerabilities were identified, with 4 rated severity 6.0 or higher, including CVE-2026-6100 (severity 6.48) affecting Python's decompression modules.
The image is from an 'UNVERIFIED' 'COMMUNITY' publisher with low reputation (2 stars), indicating potential trust concerns.

Reputation

UNVERIFIED

litellm

COMMUNITY

Community Image with low/unknown reputation
Pinned by digest (Immutable)

BaseImage/

litellm/litellm-database:main-v1.83.7-stable

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

34 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-39892	HIGH8.33	cryptography 46.0.5 fixed in 46.0.7	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-28684	HIGH7.1	python-dotenv 1.0.1 fixed in 1.2.2	—	Directly Exposed
CVE-2026-6100	MEDIUM6.48	python-3.13 3.13.13-r1 fixed in 3.13.13-r2	—	Directly ExposedContext importance: MEDIUM
CVE-2026-6100	MEDIUM6.48	python-3.13-base 3.13.13-r1 fixed in 3.13.13-r2	—	Directly ExposedContext importance: MEDIUM
CVE-2026-40347	MEDIUM5.9	python-multipart 0.0.20 fixed in 0.0.26	—	Directly ExposedContext importance: HIGH
CVE-2026-4437	MEDIUM5.52	glibc 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-4437	MEDIUM5.52	glibc-locale-posix 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-4437	MEDIUM5.52	ld-linux 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-4437	MEDIUM5.52	libcrypt1 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-24486	MEDIUM5.1	python-multipart 0.0.20 fixed in 0.0.22	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-67221	MEDIUM4.67	orjson 3.10.15 fixed in 3.11.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40192	MEDIUM4.5	pillow 12.1.1 fixed in 12.2.0	—	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.43-r3 fixed in 2.43-r6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-locale-posix 2.43-r3 fixed in 2.43-r6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	ld-linux 2.43-r3 fixed in 2.43-r6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libcrypt1 2.43-r3 fixed in 2.43-r6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33672	MEDIUM4.5	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34073	MEDIUM4.5	cryptography 46.0.5 fixed in 46.0.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-1502	MEDIUM4.5	python-3.13 3.13.13-r1 fixed in 3.13.13-r2	—	Directly Exposed
CVE-2026-1502	MEDIUM4.5	python-3.13-base 3.13.13-r1 fixed in 3.13.13-r2	—	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-locale-posix 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	ld-linux 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libcrypt1 2.43-r3 fixed in 2.43-r4	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40260	LOW3.18	pypdf 6.9.2 fixed in 6.10.0	—	Directly Exposed
CVE-2026-4786	LOW2.56	python-3.13 3.13.13-r1 fixed in 3.13.13-r2	—	Post-Exploit
CVE-2026-4786	LOW2.56	python-3.13-base 3.13.13-r1 fixed in 3.13.13-r2	—	Post-Exploit
CVE-2026-33750	LOW2.29	brace-expansion 5.0.4 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-33671	LOW1.99	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-14546	NONE0	fastapi-sso 0.16.0 fixed in 0.19.0	0.1% Theoretical Threat	Not Applicable
GHSA-4pxv-j86v-mhcw	NONE0	pypdf 6.9.2 fixed in 6.10.2	—	Not Applicable
GHSA-7gw9-cf7v-778f	NONE0	pypdf 6.9.2 fixed in 6.10.2	—	Not Applicable
GHSA-jj6c-8h6c-hppx	NONE0	pypdf 6.9.2 fixed in 6.10.1	—	Not Applicable
GHSA-x284-j5p8-9c5p	NONE0	pypdf 6.9.2 fixed in 6.10.2	—	Not Applicable