This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could execute arbitrary code in the mongo-express web interface, gain unauthorized access to MongoDB data, or perform denial of service attacks against the container. CVE-2019-10758 has an EPSS of 0.85, indicating active exploitation in the wild. No full mitigation is identified for the highest-severity vulnerabilities.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2019-10758 | CRITICAL10 | mongo-express 0.49.0 fixed in 0.54.0 | 84.8% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2020-7699 | CRITICAL9.8 | express-fileupload 0.4.0 fixed in 1.1.9 | 4.7% Low-Moderate Risk | Directly ExposedContext importance: HIGH |
| CVE-2021-3712 | CRITICAL9.62 | libssl1.1 1.1.1d-r2 fixed in 1.1.1l-r0 | 50.4% Actively Exploited | Directly Exposed |
| CVE-2022-38900 | HIGH8.62 | decode-uri-component 0.2.0 fixed in 0.2.1 | 24.9% High Exploitation Risk | Directly Exposed |
| CVE-2022-24999 | HIGH8.62 | qs 6.5.1 fixed in 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 | 14.7% High Exploitation Risk | Directly Exposed |
| CVE-2022-24999 | HIGH8.62 | qs 6.5.2 fixed in 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 | 14.7% High Exploitation Risk | Directly Exposed |
| CVE-2022-24999 | HIGH8.62 | qs 6.7.0 fixed in 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 | 14.7% High Exploitation Risk | Directly Exposed |
| CVE-2021-3450 | HIGH8.51 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1k-r0 | 18.3% High Exploitation Risk | Directly Exposed |
| CVE-2021-3450 | HIGH8.51 | libssl1.1 1.1.1d-r2 fixed in 1.1.1k-r0 | 18.3% High Exploitation Risk | Directly Exposed |
| CVE-2021-23337 | HIGH8.28 | lodash 4.17.15 fixed in 4.17.21 | 22.4% High Exploitation Risk | Directly Exposed |
| CVE-2020-7774 | HIGH8 | y18n 3.2.1 fixed in 3.2.2, 4.0.1, 5.0.5 | 69.1% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2020-7774 | HIGH8 | y18n 4.0.0 fixed in 3.2.2, 4.0.1, 5.0.5 | 69.1% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2020-7610 | HIGH7.84 | bson 1.0.9 fixed in 1.1.4 | 2.2% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2020-36632 | HIGH7.84 | flat 2.0.1 fixed in 1.6.2, 2.0.2, 3.0.1, 4.0.2, 5.0.1 | 1.1% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2024-29415 | HIGH7.84 | ip 1.1.5 No fix yet | 8.3% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2023-42282 | HIGH7.84 | ip 1.1.5 fixed in 2.0.1, 1.1.9 | 1.6% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2021-3918 | HIGH7.84 | json-schema 0.2.3 fixed in 0.4.0 | 3.6% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.15 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2023-26136 | HIGH7.84 | tough-cookie 2.4.3 fixed in 4.1.3 | 2.1% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2020-1967 | HIGH7.8 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1g-r0 | 53.3% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2021-23840 | HIGH7.8 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 50.7% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2020-1967 | HIGH7.8 | libssl1.1 1.1.1d-r2 fixed in 1.1.1g-r0 | 53.3% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2021-23840 | HIGH7.8 | libssl1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 50.7% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2021-3712 | HIGH7.7 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1l-r0 | 50.4% Actively Exploited | Directly ExposedContext importance: MEDIUM |
| CVE-2021-3449 | HIGH7.67 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1k-r0 | 63.5% Actively Exploited | Directly Exposed |
| CVE-2021-3449 | HIGH7.67 | libssl1.1 1.1.1d-r2 fixed in 1.1.1k-r0 | 63.5% Actively Exploited | Directly Exposed |
| CVE-2019-15847 | HIGH7.5 | libgcc 9.2.0-r3 fixed in 9.3.0-r0 | 3.2% Low-Moderate Risk | Directly Exposed |
| CVE-2019-15847 | HIGH7.5 | libstdc++ 9.2.0-r3 fixed in 9.3.0-r0 | 3.2% Low-Moderate Risk | Directly Exposed |
| CVE-2021-3807 | HIGH7.5 | ansi-regex 3.0.0 fixed in 6.0.1, 5.0.1, 4.1.1, 3.0.1 | 3.3% Low-Moderate Risk | Directly Exposed |
| CVE-2022-24434 | HIGH7.5 | dicer 0.2.5 No fix yet | 3.0% Low-Moderate Risk | Directly Exposed |
| CVE-2022-27261 | HIGH7.5 | express-fileupload 0.4.0 No fix yet | 1.3% Low-Moderate Risk | Directly Exposed |
| CVE-2022-25881 | HIGH7.5 | http-cache-semantics 3.8.1 fixed in 4.1.1 | 1.6% Low-Moderate Risk | Directly Exposed |
| CVE-2022-3517 | HIGH7.5 | minimatch 3.0.4 fixed in 3.0.5 | 1.7% Low-Moderate Risk | Directly Exposed |
| CVE-2021-23343 | HIGH7.5 | path-parse 1.0.6 fixed in 1.0.7 | 2.2% Low-Moderate Risk | Directly Exposed |
| CVE-2022-25883 | HIGH7.5 | semver 5.3.0 fixed in 7.5.2, 6.3.1, 5.7.2 | 2.8% Low-Moderate Risk | Directly Exposed |
| CVE-2022-25883 | HIGH7.5 | semver 5.7.1 fixed in 7.5.2, 6.3.1, 5.7.2 | 2.8% Low-Moderate Risk | Directly Exposed |
| CVE-2021-27290 | HIGH7.5 | ssri 6.0.1 fixed in 6.0.2, 7.1.1, 8.0.1 | 4.7% Low-Moderate Risk | Directly Exposed |
| CVE-2023-25345 | HIGH7.5 | swig-templates 2.0.2 No fix yet | 1.0% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8203 | HIGH7.4 | lodash 4.17.15 fixed in 4.17.19 | 5.2% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8203 | HIGH7.4 | lodash.set 4.3.2 No fix yet | 5.2% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8116 | HIGH7.3 | dot-prop 3.0.0 fixed in 4.2.1, 5.1.1 | 3.1% Low-Moderate Risk | Directly Exposed |
| CVE-2020-8116 | HIGH7.3 | dot-prop 4.2.0 fixed in 4.2.1, 5.1.1 | 3.1% Low-Moderate Risk | Directly Exposed |
| CVE-2025-69873 | MEDIUM6.38 | ajv 5.5.2 fixed in 8.18.0, 6.14.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2024-45590 | MEDIUM6.38 | body-parser 1.18.2 fixed in 1.20.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2024-45590 | MEDIUM6.38 | body-parser 1.19.0 fixed in 1.20.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM6.38 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-26996 | MEDIUM6.38 | minimatch 3.0.4 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2021-23372 | MEDIUM6.38 | mongo-express 0.49.0 No fix yet | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2025-15284 | MEDIUM6.38 | qs 6.5.1 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-15284 | MEDIUM6.38 | qs 6.5.2 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-15284 | MEDIUM6.38 | qs 6.7.0 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-2391 | MEDIUM6.38 | qs 6.7.0 fixed in 6.14.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 2.0.3 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-41907 | MEDIUM6.38 | uuid 3.3.3 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2021-21422 | MEDIUM6.1 | mongo-express 0.49.0 fixed in 1.0.0-alpha.4 | 1.6% Low-Moderate Risk | Directly Exposed |
| CVE-2019-1551 | MEDIUM6.09 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1d-r3 | 14.3% High Exploitation Risk | Directly Exposed |
| CVE-2019-1551 | MEDIUM6.09 | libssl1.1 1.1.1d-r2 fixed in 1.1.1d-r3 | 14.3% High Exploitation Risk | Directly Exposed |
| CVE-2020-1971 | MEDIUM5.9 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1i-r0 | 7.0% Low-Moderate Risk | Directly Exposed |
| CVE-2021-23841 | MEDIUM5.9 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 7.5% Low-Moderate Risk | Directly Exposed |
| CVE-2020-1971 | MEDIUM5.9 | libssl1.1 1.1.1d-r2 fixed in 1.1.1i-r0 | 7.0% Low-Moderate Risk | Directly Exposed |
| CVE-2021-23841 | MEDIUM5.9 | libssl1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 7.5% Low-Moderate Risk | Directly Exposed |
| CVE-2020-15366 | MEDIUM5.6 | ajv 5.5.2 fixed in 6.12.3 | 2.3% Low-Moderate Risk | Directly Exposed |
| CVE-2020-7598 | MEDIUM5.6 | minimist 0.0.10 fixed in 0.2.1, 1.2.3 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2020-7598 | MEDIUM5.6 | minimist 0.0.8 fixed in 0.2.1, 1.2.3 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2020-7598 | MEDIUM5.6 | minimist 1.2.0 fixed in 0.2.1, 1.2.3 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-7783 | MEDIUM5.4 | form-data 2.3.2 fixed in 2.5.4, 3.0.4, 4.0.4 | 1.7% Low-Moderate Risk | Directly Exposed |
| CVE-2017-16137 | MEDIUM5.3 | debug 3.2.6 fixed in 2.6.9, 3.1.0, 3.2.7, 4.3.1 | 2.8% Low-Moderate Risk | Directly Exposed |
| CVE-2022-33987 | MEDIUM5.3 | got 5.7.1 fixed in 12.1.0, 11.8.5 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2022-33987 | MEDIUM5.3 | got 6.7.1 fixed in 12.1.0, 11.8.5 | 1.9% Low-Moderate Risk | Directly Exposed |
| CVE-2021-23362 | MEDIUM5.3 | hosted-git-info 2.8.5 fixed in 2.8.9, 3.0.8 | 3.6% Low-Moderate Risk | Directly Exposed |
| CVE-2020-28500 | MEDIUM5.3 | lodash 4.17.15 fixed in 4.17.21 | 7.3% Low-Moderate Risk | Directly Exposed |
| CVE-2024-29041 | MEDIUM5.18 | express 4.16.3 fixed in 4.19.2, 5.0.0-beta.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2023-28155 | MEDIUM5.18 | request 2.88.0 No fix yet | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2020-28928 | MEDIUM4.67 | musl 1.1.24-r0 fixed in 1.1.24-r3 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-27088 | MEDIUM4.67 | es5-ext 0.10.53 fixed in 0.10.63 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2019-2391 | MEDIUM4.59 | bson 1.0.9 fixed in 1.1.4 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2021-3711 | MEDIUM4.58 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1l-r0 | 87.8% Actively Exploited | Post-Exploit |
| CVE-2021-3711 | MEDIUM4.58 | libssl1.1 1.1.1d-r2 fixed in 1.1.1l-r0 | 87.8% Actively Exploited | Post-Exploit |
| CVE-2021-30139 | MEDIUM4.5 | apk-tools 2.10.4-r3 fixed in 2.10.6-r0 | 1.6% Low-Moderate Risk | Post-Exploit |
| CVE-2024-47178 | MEDIUM4.5 | basic-auth-connect 1.0.0 fixed in 1.1.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash 4.17.15 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.15 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-45296 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-52798 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.12 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-4867 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.13 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2020-7608 | MEDIUM4.5 | yargs-parser 9.0.2 fixed in 13.1.2, 15.0.1, 18.1.1, 5.0.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2021-42378 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42379 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42380 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.9% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42381 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42382 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42383 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.1% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42384 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42385 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42386 | MEDIUM4.32 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42378 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42379 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42380 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.9% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42381 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42382 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42383 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.1% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42384 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42385 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42386 | MEDIUM4.32 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2026-24842 | MEDIUM4.18 | tar 4.4.13 fixed in 7.5.7 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2022-37434 | MEDIUM4.06 | zlib 1.2.11-r3 fixed in 1.2.11-r4 | 15.9% High Exploitation Risk | Post-Exploit |
| CVE-2024-43796 | MEDIUM4 | express 4.16.3 fixed in 4.20.0, 5.0.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43799 | MEDIUM4 | send 0.16.2 fixed in 0.19.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43800 | MEDIUM4 | serve-static 1.13.2 fixed in 1.16.0, 2.1.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2021-4435 | LOW3.98 | yarn 1.21.1 fixed in 1.22.13 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2024-21538 | LOW3.74 | cross-spawn 5.1.0 fixed in 7.0.5, 6.0.6 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2021-23839 | LOW3.7 | libcrypto1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 3.0% Low-Moderate Risk | Directly Exposed |
| CVE-2021-23839 | LOW3.7 | libssl1.1 1.1.1d-r2 fixed in 1.1.1j-r0 | 3.0% Low-Moderate Risk | Directly Exposed |
| CVE-2026-26960 | LOW3.62 | tar 4.4.13 fixed in 7.5.8 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2020-7788 | LOW3.53 | ini 1.3.5 fixed in 1.3.6 | 3.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-44906 | LOW3.53 | minimist 0.0.10 fixed in 1.2.6, 0.2.4 | 4.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-44906 | LOW3.53 | minimist 0.0.8 fixed in 1.2.6, 0.2.4 | 4.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-44906 | LOW3.53 | minimist 1.2.0 fixed in 1.2.6, 0.2.4 | 4.6% Low-Moderate Risk | Post-Exploit |
| CVE-2021-32804 | LOW3.35 | tar 4.4.13 fixed in 3.2.2, 4.4.14, 5.0.6, 6.1.1 | 15.0% High Exploitation Risk | Post-Exploit |
| CVE-2024-28863 | LOW3.31 | tar 4.4.13 fixed in 6.2.1 | 0.9% Theoretical Threat | Post-Exploit |
| CVE-2021-36159 | LOW3.28 | apk-tools 2.10.4-r3 fixed in 2.10.7-r0 | 2.6% Low-Moderate Risk | Post-Exploit |
| CVE-2026-29786 | LOW3.21 | tar 4.4.13 fixed in 7.5.10 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2024-47764 | LOW3.15 | cookie 0.3.1 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.0 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-23745 | LOW3.11 | tar 4.4.13 fixed in 7.5.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2021-37701 | LOW3.1 | tar 4.4.13 fixed in 4.4.16, 5.0.8, 6.1.7 | 3.1% Low-Moderate Risk | Post-Exploit |
| CVE-2021-37712 | LOW3.1 | tar 4.4.13 fixed in 4.4.18, 5.0.10, 6.1.9 | 1.7% Low-Moderate Risk | Post-Exploit |
| CVE-2021-37713 | LOW3.1 | tar 4.4.13 fixed in 4.4.18, 5.0.10, 6.1.9 | 1.2% Low-Moderate Risk | Post-Exploit |
| CVE-2026-23950 | LOW3.01 | tar 4.4.13 fixed in 7.5.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2021-32803 | LOW2.92 | tar 4.4.13 fixed in 3.2.3, 4.4.15, 5.0.7, 6.1.2 | 7.8% Low-Moderate Risk | Post-Exploit |
| CVE-2025-7339 | LOW2.89 | on-headers 1.0.2 fixed in 1.1.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2019-10773 | LOW2.81 | yarn 1.21.1 fixed in 1.22.0 | 1.5% Low-Moderate Risk | Post-Exploit |
| CVE-2020-28928 | LOW2.8 | musl-utils 1.1.24-r0 fixed in 1.1.24-r3 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-31802 | LOW2.8 | tar 4.4.13 fixed in 7.5.11 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2021-28831 | LOW2.7 | busybox 1.31.1-r8 fixed in 1.31.1-r10 | 2.8% Low-Moderate Risk | Post-Exploit |
| CVE-2021-28831 | LOW2.7 | ssl_client 1.31.1-r8 fixed in 1.31.1-r10 | 2.8% Low-Moderate Risk | Post-Exploit |
| CVE-2020-8131 | LOW2.7 | yarn 1.21.1 fixed in 1.22.0 | 5.0% Low-Moderate Risk | Post-Exploit |
| CVE-2021-42374 | LOW2.7 | busybox 1.31.1-r8 fixed in 1.31.1-r11 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2021-42374 | LOW2.7 | ssl_client 1.31.1-r8 fixed in 1.31.1-r11 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2020-15095 | LOW2.24 | npm 6.13.4 fixed in 6.14.6 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2020-7754 | NONE0 | npm-user-validate 1.0.0 fixed in 1.0.1 | 3.4% Low-Moderate Risk | Not Applicable |
| GHSA-q3w9-g74q-vp5f | NONE0 | express-fileupload 0.4.0 fixed in 1.1.6-alpha.6 | — | Not Applicable |
| CVE-2026-12143 | NONE0 | form-data 2.3.2 fixed in 2.5.6, 3.0.5, 4.0.6 | 0.3% Theoretical Threat | Not Applicable |
| NSWG-ECO-516 | NONE0 | lodash 4.17.15 fixed in >=4.17.19 | — | Not Applicable |
| GHSA-4xcv-9jjx-gfj3 | NONE0 | mem 1.1.0 fixed in 4.0.0 | — | Not Applicable |
| CVE-2023-52555 | NONE0 | mongo-express 0.49.0 No fix yet | 0.2% Theoretical Threat | Not Applicable |
| GHSA-mh5c-679w-hh4r | NONE0 | mongodb 2.2.24 fixed in 3.1.13 | — | Not Applicable |
| GHSA-jmqm-f2gx-4fjv | NONE0 | npm-registry-fetch 4.0.2 fixed in 4.0.5, 8.1.1 | — | Not Applicable |
| GHSA-xgh6-85xh-479p | NONE0 | npm-user-validate 1.0.0 fixed in 1.0.1 | — | Not Applicable |
| CVE-2026-53655 | NONE0 | tar 4.4.13 fixed in 7.5.16 | 0.1% Theoretical Threat | Not Applicable |