Vulnerability Reportlitellm/litellm-database:1.87.3

litellm/litellm-database:v1.87.3litellm/litellm-database:1.87.3

DIGESTsha256:c4b9e69952602a719767ddcc30c652c98c71a8ad0cb2ec0837161a618ba6e3e3

Executive Summary

NEEDS_ATTENTION

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The image contains 40 exposed vulnerabilities, with the most severe (CVE-2026-45447 and CVE-2026-45445) scoring in the medium range (6.18–6.48) and requiring specific, non-default conditions to be exploitable—such as processing PKCS#7 messages or using AES-OCB via the EVP_Cipher() one-shot API, which is unlikely for a database container. No post-exploit vulnerabilities were found. Despite the community-origin trust warning, the threat score of 37 indicates manageable risk that can be mitigated through standard patching and configuration review.

Threat Score

37/100

NEEDS_ATTENTION

Community image with low reputation (score 55) and no official or verified status.
40 total exposed vulnerabilities, 4 with severity ≥6.0 (max 6.48), including CVE-2026-45447 and CVE-2026-45445.
Post-exploit findings are absent, limiting attack surface after initial compromise.
Top findings affect OpenSSL (libcrypto3, libssl3) but require non-default usage paths (PKCS7 verification, AES-OCB EVP_Cipher one-shot), reducing practical risk.

Reputation

UNVERIFIED

litellm

COMMUNITY

Community Image with low/unknown reputation
Pinned by digest (Immutable)

Vulnerabilities

Vulnerability Log

53 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	MEDIUM6.48	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45447	MEDIUM6.48	libssl3 3.6.2-r3 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	MEDIUM6.18	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45445	MEDIUM6.18	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-48710	MEDIUM5.52	starlette 0.50.0 fixed in 1.0.1	0.9% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM5.03	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34182	MEDIUM5.03	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-48524	MEDIUM5.02	PyJWT 2.12.0 fixed in 2.13.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33672	MEDIUM4.5	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW3.83	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34183	LOW3.83	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-26157	LOW3.57	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2024-6345	LOW3.17	setuptools 68.1.2 fixed in 70.0.0	1.8% Low-Moderate Risk	Post-Exploit
CVE-2025-47273	LOW3.17	setuptools 68.1.2 fixed in 78.1.1	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	LOW3.01	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	LOW3.01	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	LOW3.01	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	LOW3.01	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	LOW3.01	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33750	LOW2.29	brace-expansion 5.0.4 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45149	LOW2.29	brace-expansion 5.0.4 fixed in 5.0.6	0.2% Theoretical Threat	Post-Exploit
CVE-2026-47265	LOW2.29	aiohttp 3.13.5 fixed in 3.14.0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34993	LOW2.23	aiohttp 3.13.5 fixed in 3.14.0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-33671	LOW1.99	picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42338	LOW1.87	ip-address 10.1.0 fixed in 10.1.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-35188	NONE0	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-53655	NONE0	tar 7.5.11 fixed in 7.5.16	—	Not Applicable
CVE-2026-42544	NONE0	granian 2.5.7 fixed in 2.7.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42545	NONE0	granian 2.5.7 fixed in 2.7.4	0.2% Theoretical Threat	Not Applicable
GHSA-vfvv-c25p-m7mm	NONE0	rkyv 0.8.15 fixed in 0.8.16	—	Not Applicable
GHSA-3pv8-6f4r-ffg2	NONE0	tar 0.4.45 fixed in 0.4.46	—	Not Applicable