Vulnerability Reportopensearchproject/opensearch-dashboards:3.6.0

opensearchproject/opensearch-dashboards:3.6.0

DIGESTsha256:1ddd64e3a07fd98bc20ccf5174760b51795630a602b81102b37d1e9ee82cb7a9

Executive Summary

Threat ScoreCAUTION• 81 exposed vulnerabilities found, including 15 with severity >=6.0 and 1 with severity >=7.0 (CVE-2025-62718, 7.92).• Multiple axios vulnerabilities (CVE-2025-62718, CVE-2026-42043) enable SSRF and proxy bypass if the container connects to a malicious server.• A ReDoS vulnerability in @hapi/content (CVE-2026-35213) can cause denial of service via crafted HTTP headers, directly exposed to external traffic.• The image is from a verified publisher and pinned by digest, ensuring integrity, but the high vulnerability count is concerning.

50/100CAUTION

ReputationVERIFIED• Verified Publisher (Trusted Vendor)• Pinned by digest (Immutable)

TRUSTED

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit the axios vulnerabilities to perform server-side request forgery or bypass proxy protections, potentially accessing internal services, while the @hapi/content ReDoS can disrupt availability. Note that the axios risks require the container to connect to an attacker-controlled server, which is not the default configuration, but the ReDoS is directly exploitable via external HTTP requests. Remediating these vulnerabilities by updating axios and @hapi/content to patched versions is recommended to reduce the attack surface.

Vulnerabilities

Vulnerability Log

97 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-62718	HIGH7.92	axios 1.13.5 fixed in 1.15.0, 0.31.0	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-42043	MEDIUM6.8	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-35213	MEDIUM6.38	@hapi/content 5.0.2 fixed in 6.0.1	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-44487	MEDIUM6.38	axios 1.13.5 fixed in 1.16.0, 0.32.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44488	MEDIUM6.38	axios 1.13.5 fixed in 1.16.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44496	MEDIUM6.38	axios 1.13.5 fixed in 1.16.0, 0.32.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-6321	MEDIUM6.38	fast-uri 3.0.6 fixed in 3.1.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-6322	MEDIUM6.38	fast-uri 3.0.6 fixed in 3.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6321	MEDIUM6.38	fast-uri 3.1.0 fixed in 3.1.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-6322	MEDIUM6.38	fast-uri 3.1.0 fixed in 3.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45736	MEDIUM6.38	ws 8.18.0 fixed in 8.20.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42033	MEDIUM6.29	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42035	MEDIUM6.29	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42264	MEDIUM6.18	axios 1.13.5 fixed in 1.15.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42044	MEDIUM6.18	axios 1.13.5 fixed in 1.15.2	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44495	MEDIUM5.95	axios 1.13.5 fixed in 1.15.2, 0.31.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44494	MEDIUM5.91	axios 1.13.5 fixed in 1.16.0	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44492	MEDIUM5.85	axios 1.13.5 fixed in 1.16.0, 0.32.0	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41238	MEDIUM5.78	dompurify 3.3.2 fixed in 3.4.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41239	MEDIUM5.78	dompurify 3.3.2 fixed in 3.4.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41238	MEDIUM5.78	dompurify 3.3.3 fixed in 3.4.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41239	MEDIUM5.78	dompurify 3.3.3 fixed in 3.4.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44490	MEDIUM5.58	axios 1.13.5 fixed in 1.16.0, 0.32.0	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-9149	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9150	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42041	MEDIUM5.52	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5758	MEDIUM5.52	protocol-buffers-schema 3.6.0 fixed in 3.6.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-6019	MEDIUM5.18	python3-libs 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42042	MEDIUM5.18	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41240	MEDIUM5.18	dompurify 3.3.2 fixed in 3.4.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41240	MEDIUM5.18	dompurify 3.3.3 fixed in 3.4.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44665	MEDIUM5.18	fast-xml-builder 1.1.4 fixed in 1.1.7	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42338	MEDIUM5.18	ip-address 10.1.0 fixed in 10.1.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42338	MEDIUM5.18	ip-address 6.4.0 fixed in 10.1.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44486	MEDIUM5.1	axios 1.13.5 fixed in 1.16.0, 0.32.0	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42038	MEDIUM5.1	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42039	MEDIUM5.1	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-41324	MEDIUM5.02	basic-ftp 5.2.0 fixed in 5.3.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41650	MEDIUM4.59	fast-xml-parser 5.5.9 fixed in 5.7.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42034	MEDIUM4.5	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42036	MEDIUM4.5	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42037	MEDIUM4.5	axios 1.13.5 fixed in 1.15.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40175	MEDIUM4.08	axios 1.13.5 fixed in 1.15.0, 0.31.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3449	LOW3.4	@tootallnate/once 2.0.0 fixed in 3.0.1, 2.0.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-39983	LOW3.1	basic-ftp 5.2.0 fixed in 5.2.1	1.9% Low-Moderate Risk	Post-Exploit
CVE-2026-48863	LOW2.7	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	—	Post-Exploit
CVE-2026-44705	LOW2.51	tmp 0.2.5 fixed in 0.2.6	0.5% Theoretical Threat	Post-Exploit
CVE-2026-48864	LOW2.39	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33811	LOW2.29	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.5% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33750	LOW2.29	brace-expansion 1.1.12 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	0.4% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 10.0.0 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 2.0.3 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 3.3.2 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 3.4.0 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-41907	LOW2.29	uuid 9.0.0 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6019	LOW1.87	python3 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39823	NONE0	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	libcap 2.73-1.amzn2023.0.6 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Not Applicable
CVE-2026-44974	NONE0	@hapi/content 5.0.2 fixed in 6.0.2	—	Not Applicable
CVE-2026-48049	NONE0	@hapi/inert 6.0.5 fixed in 7.1.1	—	Not Applicable
CVE-2026-44979	NONE0	@hapi/wreck 17.2.0 fixed in 18.1.1	—	Not Applicable
CVE-2026-48022	NONE0	@hapi/wreck 17.2.0 fixed in 18.1.2	—	Not Applicable
CVE-2026-54285	NONE0	@opentelemetry/core 1.30.1 fixed in 2.8.0	—	Not Applicable
CVE-2026-42040	NONE0	axios 1.13.5 fixed in 1.15.1, 0.31.1	0.2% Theoretical Threat	Not Applicable
CVE-2026-44240	NONE0	basic-ftp 5.2.0 fixed in 5.3.1	0.5% Theoretical Threat	Not Applicable
GHSA-6v7q-wjvx-w8wg	NONE0	basic-ftp 5.2.0 fixed in 5.2.2	—	Not Applicable
CVE-2026-49458	NONE0	dompurify 3.3.2 fixed in 3.4.6	—	Not Applicable
CVE-2026-49459	NONE0	dompurify 3.3.2 fixed in 3.4.6	—	Not Applicable
CVE-2026-49978	NONE0	dompurify 3.3.2 fixed in 3.4.7	—	Not Applicable
GHSA-39q2-94rc-95cp	NONE0	dompurify 3.3.2 fixed in 3.4.0	—	Not Applicable
GHSA-76mc-f452-cxcm	NONE0	dompurify 3.3.2 fixed in 3.4.7	—	Not Applicable
GHSA-cmwh-pvxp-8882	NONE0	dompurify 3.3.2 fixed in 3.4.11	—	Not Applicable
GHSA-gvmj-g25r-r7wr	NONE0	dompurify 3.3.2 fixed in 3.4.8	—	Not Applicable
GHSA-vxr8-fq34-vvx9	NONE0	dompurify 3.3.2 fixed in 3.4.9	—	Not Applicable
GHSA-x4vx-rjvf-j5p4	NONE0	dompurify 3.3.2 No fix yet	—	Not Applicable
CVE-2026-49458	NONE0	dompurify 3.3.3 fixed in 3.4.6	—	Not Applicable
CVE-2026-49459	NONE0	dompurify 3.3.3 fixed in 3.4.6	—	Not Applicable
CVE-2026-49978	NONE0	dompurify 3.3.3 fixed in 3.4.7	—	Not Applicable
GHSA-39q2-94rc-95cp	NONE0	dompurify 3.3.3 fixed in 3.4.0	—	Not Applicable
GHSA-76mc-f452-cxcm	NONE0	dompurify 3.3.3 fixed in 3.4.7	—	Not Applicable
GHSA-cmwh-pvxp-8882	NONE0	dompurify 3.3.3 fixed in 3.4.11	—	Not Applicable
GHSA-gvmj-g25r-r7wr	NONE0	dompurify 3.3.3 fixed in 3.4.8	—	Not Applicable
GHSA-vxr8-fq34-vvx9	NONE0	dompurify 3.3.3 fixed in 3.4.9	—	Not Applicable
GHSA-x4vx-rjvf-j5p4	NONE0	dompurify 3.3.3 No fix yet	—	Not Applicable
GHSA-r4q5-vmmm-2653	NONE0	follow-redirects 1.15.11 fixed in 1.16.0	—	Not Applicable
CVE-2026-12143	NONE0	form-data 4.0.4 fixed in 2.5.6, 3.0.5, 4.0.6	0.3% Theoretical Threat	Not Applicable
CVE-2026-48038	NONE0	joi 14.3.1 fixed in 18.2.1, 17.13.4	—	Not Applicable
CVE-2026-46625	NONE0	js-cookie 2.2.1 fixed in 3.0.7	0.4% Theoretical Threat	Not Applicable
CVE-2026-53550	NONE0	js-yaml 4.1.1 fixed in 4.2.0	—	Not Applicable
CVE-2024-1899	NONE0	showdown 2.1.0 No fix yet	0.8% Theoretical Threat	Not Applicable
CVE-2026-53655	NONE0	tar 7.5.11 fixed in 7.5.16	—	Not Applicable
CVE-2026-48779	NONE0	ws 7.5.10 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable
CVE-2026-48779	NONE0	ws 8.18.0 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable