This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could cause denial of service by exploiting CVE-2024-6119 in outbound TLS connections to a malicious MongoDB server, or potentially achieve remote code execution via CVE-2026-4800 if untrusted input reaches lodash template key names. Mitigating controls: ensure only trusted MongoDB servers are used to eliminate CVE-2024-6119; CVE-2026-4800 requires specific untrusted input and may not be exploitable in typical deployments. Immediate patching of all vulnerable packages is strongly urged.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2024-6119 | CRITICAL9.75 | libcrypto3 3.1.4-r5 fixed in 3.1.7-r0 | 66.6% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2024-6119 | CRITICAL9.75 | libssl3 3.1.4-r5 fixed in 3.1.7-r0 | 66.6% Actively Exploited | Directly ExposedContext importance: HIGH |
| CVE-2026-4800 | HIGH7.84 | lodash 4.17.21 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2026-4800 | HIGH7.84 | lodash-es 4.17.21 fixed in 4.18.0 | 1.0% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2024-45590 | MEDIUM6.38 | body-parser 1.20.1 fixed in 1.20.3 | 0.8% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-41907 | MEDIUM6.38 | uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-26519 | MEDIUM5.95 | musl 1.2.4-r2 fixed in 1.2.4-r3 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-5535 | MEDIUM5.9 | libcrypto3 3.1.4-r5 fixed in 3.1.6-r0 | 5.6% Low-Moderate Risk | Directly Exposed |
| CVE-2024-5535 | MEDIUM5.9 | libssl3 3.1.4-r5 fixed in 3.1.6-r0 | 5.6% Low-Moderate Risk | Directly Exposed |
| CVE-2024-4741 | MEDIUM5.6 | libcrypto3 3.1.4-r5 fixed in 3.1.6-r0 | 2.9% Low-Moderate Risk | Directly Exposed |
| CVE-2024-4741 | MEDIUM5.6 | libssl3 3.1.4-r5 fixed in 3.1.6-r0 | 2.9% Low-Moderate Risk | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM5.52 | minimatch 9.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-4603 | MEDIUM5.3 | libcrypto3 3.1.4-r5 fixed in 3.1.5-r0 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-4603 | MEDIUM5.3 | libssl3 3.1.4-r5 fixed in 3.1.5-r0 | 1.1% Low-Moderate Risk | Directly Exposed |
| CVE-2024-29041 | MEDIUM5.18 | express 4.18.2 fixed in 4.19.2, 5.0.0-beta.3 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-42338 | MEDIUM5.18 | ip-address 9.0.5 fixed in 10.1.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2021-32050 | MEDIUM5.1 | mongodb 4.13.0 fixed in 3.6.10, 4.17.0, 5.8.0 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-15284 | MEDIUM5.1 | qs 6.11.0 fixed in 6.14.1 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-2391 | MEDIUM5.1 | qs 6.11.0 fixed in 6.14.2 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33349 | MEDIUM5.02 | fast-xml-parser 4.0.11 fixed in 4.5.5, 5.5.7 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 3.1.2 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 9.0.4 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-2511 | MEDIUM4.81 | libcrypto3 3.1.4-r5 fixed in 3.1.4-r6 | 54.0% Actively Exploited | Directly Exposed |
| CVE-2024-2511 | MEDIUM4.81 | libssl3 3.1.4-r5 fixed in 3.1.4-r6 | 54.0% Actively Exploited | Directly Exposed |
| CVE-2024-27088 | MEDIUM4.67 | es5-ext 0.10.62 fixed in 0.10.63 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-41650 | MEDIUM4.59 | fast-xml-parser 4.0.11 fixed in 5.7.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2024-47178 | MEDIUM4.5 | basic-auth-connect 1.0.0 fixed in 1.1.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-64718 | MEDIUM4.5 | js-yaml 3.14.1 fixed in 4.1.1, 3.14.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-13465 | MEDIUM4.5 | lodash-es 4.17.21 fixed in 4.17.23 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-2950 | MEDIUM4.5 | lodash-es 4.17.21 fixed in 4.18.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2024-45296 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-52798 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.12 | 0.8% Theoretical Threat | Directly Exposed |
| CVE-2026-4867 | MEDIUM4.5 | path-to-regexp 0.1.7 fixed in 0.1.13 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-13176 | MEDIUM4 | libcrypto3 3.1.4-r5 fixed in 3.1.8-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-13176 | MEDIUM4 | libssl3 3.1.4-r5 fixed in 3.1.8-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-43796 | MEDIUM4 | express 4.18.2 fixed in 4.20.0, 5.0.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43799 | MEDIUM4 | send 0.18.0 fixed in 0.19.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2024-43800 | MEDIUM4 | serve-static 1.15.0 fixed in 1.16.0, 2.1.0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2024-21538 | LOW3.74 | cross-spawn 7.0.3 fixed in 7.0.5, 6.0.6 | 0.9% Theoretical Threat | Directly Exposed |
| CVE-2024-9143 | LOW3.7 | libcrypto3 3.1.4-r5 fixed in 3.1.7-r1 | 6.0% Low-Moderate Risk | Directly Exposed |
| CVE-2024-9143 | LOW3.7 | libssl3 3.1.4-r5 fixed in 3.1.7-r1 | 6.0% Low-Moderate Risk | Directly Exposed |
| CVE-2026-26960 | LOW3.62 | tar 6.2.1 fixed in 7.5.8 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-26519 | LOW3.57 | musl-utils 1.2.4-r2 fixed in 1.2.4-r3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2024-29415 | LOW3.53 | ip 2.0.0 No fix yet | 8.3% Low-Moderate Risk | Post-Exploit |
| CVE-2023-42282 | LOW3.53 | ip 2.0.0 fixed in 2.0.1, 1.1.9 | 1.6% Low-Moderate Risk | Post-Exploit |
| CVE-2026-29786 | LOW3.21 | tar 6.2.1 fixed in 7.5.10 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2022-46175 | LOW3.17 | json5 2.2.1 fixed in 2.2.2, 1.0.2 | 9.3% Low-Moderate Risk | Post-Exploit |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.0 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.1 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.2 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.5.0 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-23745 | LOW3.11 | tar 6.2.1 fixed in 7.5.3 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-7339 | LOW2.89 | on-headers 1.0.2 fixed in 1.1.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2023-42363 | LOW2.8 | busybox 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42364 | LOW2.8 | busybox 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42365 | LOW2.8 | busybox 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42366 | LOW2.8 | busybox 1.36.1-r5 fixed in 1.36.1-r6 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42363 | LOW2.8 | busybox-binsh 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42364 | LOW2.8 | busybox-binsh 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42365 | LOW2.8 | busybox-binsh 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42366 | LOW2.8 | busybox-binsh 1.36.1-r5 fixed in 1.36.1-r6 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42363 | LOW2.8 | ssl_client 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42364 | LOW2.8 | ssl_client 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42365 | LOW2.8 | ssl_client 1.36.1-r5 fixed in 1.36.1-r7 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2023-42366 | LOW2.8 | ssl_client 1.36.1-r5 fixed in 1.36.1-r6 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-31802 | LOW2.8 | tar 6.2.1 fixed in 7.5.11 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-64756 | LOW2.7 | glob 10.3.12 fixed in 11.1.0, 10.5.0 | 3.0% Low-Moderate Risk | Post-Exploit |
| CVE-2022-25883 | LOW2.7 | semver 6.3.0 fixed in 7.5.2, 6.3.1, 5.7.2 | 2.5% Low-Moderate Risk | Post-Exploit |
| CVE-2023-45133 | LOW2.69 | @babel/traverse 7.19.6 fixed in 7.23.2, 8.0.0-alpha.4 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2025-5889 | LOW2.63 | brace-expansion 1.1.11 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-5889 | LOW2.63 | brace-expansion 2.0.1 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-24842 | LOW2.51 | tar 6.2.1 fixed in 7.5.7 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2023-26920 | LOW2.34 | fast-xml-parser 4.0.11 fixed in 4.1.2 | 1.2% Low-Moderate Risk | Post-Exploit |
| CVE-2026-33750 | LOW2.29 | brace-expansion 1.1.11 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-33750 | LOW2.29 | brace-expansion 2.0.1 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-24001 | LOW2.29 | diff 5.2.0 fixed in 8.0.3, 5.2.2, 4.0.4, 3.5.1 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-33036 | LOW2.29 | fast-xml-parser 4.0.11 fixed in 5.5.6, 4.5.5 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-27942 | LOW2.29 | fast-xml-parser 4.0.11 fixed in 5.3.8, 4.5.4 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-26996 | LOW2.29 | minimatch 3.1.2 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-26996 | LOW2.29 | minimatch 9.0.4 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-23950 | LOW1.81 | tar 6.2.1 fixed in 7.5.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-49356 | NONE0 | @babel/core 7.19.6 fixed in 8.0.0-rc.6, 7.29.6 | — | Not Applicable |
| CVE-2025-27789 | NONE0 | @babel/helpers 7.19.4 fixed in 7.26.10, 8.0.0-alpha.17 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-53550 | NONE0 | js-yaml 3.14.1 fixed in 4.2.0 | — | Not Applicable |
| CVE-2023-52555 | NONE0 | mongo-express 1.0.2 No fix yet | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-53655 | NONE0 | tar 6.2.1 fixed in 7.5.16 | — | Not Applicable |