Vulnerability Reportopensearchproject/opensearch:3.4.0

opensearchproject/opensearch:3.4.0

DIGESTsha256:1647ce2e07371f1ac8bbad28890a64ef77c5a694a61f656120f0ace09e66bf48

Executive Summary

Threat ScoreCAUTION• Container published by verified, trusted vendor (opensearchproject) and pinned by digest, but contains 91 exposed vulnerabilities with maximum severity 8.33.• Two critical (CVSS >=7) and 33 vulnerabilities with severity >=6.0, including CVE-2026-42581 (HTTP request smuggling in Netty) and CVE-2026-27135 (HTTP/2 denial of service).• CVE-2026-42581 enables remote request smuggling leading to cache poisoning or security bypass; CVE-2026-27135 can cause denial of service via crafted HTTP/2 frames.• Post-exploit findings are low severity (max 4.06) and of LOW context importance, posing no practical risk.

74/100CAUTION

ReputationVERIFIED• Verified Publisher (Trusted Vendor)• Pinned by digest (Immutable)

TRUSTED

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit the Netty request smuggling flaw (CVE-2026-42581) to perform cache poisoning or bypass security controls, or trigger denial of service via HTTP/2 frames (CVE-2026-27135). Post-exploit vulnerabilities are low severity and not relevant to this container's operation.

Vulnerabilities

Vulnerability Log

154 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33811	MEDIUM6.38	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41989	MEDIUM6.38	libgcrypt 1.10.2-1.amzn2023.0.2 fixed in 1.10.2-1.amzn2023.0.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	libnghttp2 1.59.0-3.amzn2023.0.1 fixed in 1.59.0-3.amzn2023.0.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-28389	MEDIUM6.38	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.125.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.7.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.125.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.125.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.7.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.7.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.2.7.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34478	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.21.0 fixed in 2.25.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.21.0 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69419	MEDIUM6.29	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-13151	MEDIUM5.9	libtasn1 4.19.0-1.amzn2023.0.5 fixed in 4.19.0-1.amzn2023.0.6	1.1% Low-Moderate Risk	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 4.1.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9149	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9150	MEDIUM5.52	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.3	0.4% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.125.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.7.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.78.1 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-1757	MEDIUM5.27	libxml2 2.10.4-1.amzn2023.0.13 fixed in 2.10.4-1.amzn2023.0.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40355	MEDIUM5.02	krb5-libs 1.21.3-6.amzn2023.0.1 fixed in 1.21.3-7.amzn2023.0.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	krb5-libs 1.21.3-6.amzn2023.0.1 fixed in 1.21.3-7.amzn2023.0.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0990	MEDIUM5.02	libxml2 2.10.4-1.amzn2023.0.13 fixed in 2.10.4-1.amzn2023.0.16	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	1.0% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.21.0 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.34-231.amzn2023.0.1 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-common 2.34-231.amzn2023.0.1 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-minimal-langpack 2.34-231.amzn2023.0.1 fixed in 2.34-231.amzn2023.0.4	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.2.7.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2025-68161	MEDIUM4.08	org.apache.logging.log4j:log4j-core 2.21.0 fixed in 2.25.3	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.4	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.4	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-68160	MEDIUM4	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-24882	LOW3.98	gnupg2-minimal 2.3.7-1.amzn2023.0.5 fixed in 2.3.7-1.amzn2023.0.7	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4224	LOW3.82	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW3.62	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-1299	LOW3.62	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW3.62	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.2% Theoretical Threat	Post-Exploit
CVE-2026-1299	LOW3.62	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2025-68973	LOW3.57	gnupg2-minimal 2.3.7-1.amzn2023.0.5 fixed in 2.3.7-1.amzn2023.0.6	0.1% Theoretical Threat	Post-Exploit
CVE-2025-13034	LOW3.47	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.2% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW3.47	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.6% Theoretical Threat	Post-Exploit
CVE-2025-13034	LOW3.47	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.2% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW3.47	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.6% Theoretical Threat	Post-Exploit
CVE-2025-69418	LOW3.4	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2025-14524	LOW3.31	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.6% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW3.31	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.3	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.3	0.7% Theoretical Threat	Post-Exploit
CVE-2026-0989	LOW3.15	libxml2 2.10.4-1.amzn2023.0.13 fixed in 2.10.4-1.amzn2023.0.17	0.4% Theoretical Threat	Directly Exposed
CVE-2026-6019	LOW3.11	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Post-Exploit
CVE-2026-6019	LOW3.11	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.6	0.2% Theoretical Threat	Post-Exploit
CVE-2025-68121	LOW3.06	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.6	0.8% Theoretical Threat	Post-Exploit
CVE-2026-6357	LOW2.96	python3-pip-wheel 21.3.1-2.amzn2023.0.14 fixed in 21.3.1-2.amzn2023.0.19	0.1% Theoretical Threat	Post-Exploit
CVE-2025-8732	LOW2.8	libxml2 2.10.4-1.amzn2023.0.13 fixed in 2.10.4-1.amzn2023.0.15	0.1% Theoretical Threat	Directly Exposed
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.125.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.2.7.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2026-48863	LOW2.7	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	—	Post-Exploit
CVE-2026-33557	LOW2.63	org.apache.kafka:kafka-clients 4.1.1 fixed in 4.1.2	0.5% Theoretical Threat	Post-Exploit
CVE-2025-15079	LOW2.48	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.5% Theoretical Threat	Post-Exploit
CVE-2025-15079	LOW2.48	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0992	LOW2.46	libxml2 2.10.4-1.amzn2023.0.13 fixed in 2.10.4-1.amzn2023.0.16	0.3% Theoretical Threat	Directly Exposed
CVE-2025-14017	LOW2.45	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.1% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.1% Theoretical Threat	Post-Exploit
CVE-2025-15282	LOW2.45	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0672	LOW2.45	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.4% Theoretical Threat	Post-Exploit
CVE-2025-15282	LOW2.45	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0672	LOW2.45	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.4% Theoretical Threat	Post-Exploit
CVE-2025-54920	LOW2.41	org.apache.spark:spark-core_2.13 3.5.4 fixed in 4.0.1, 3.5.7	5.3% Low-Moderate Risk	Post-Exploit
CVE-2025-15224	LOW2.4	curl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.4% Theoretical Threat	Post-Exploit
CVE-2025-15224	LOW2.4	libcurl-minimal 8.15.0-4.amzn2023.0.1 fixed in 8.17.0-1.amzn2023.0.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-25210	LOW2.39	expat 2.6.3-1.amzn2023.0.3 fixed in 2.6.3-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-48864	LOW2.39	libsolv 0.7.22-1.amzn2023.0.2 fixed in 0.7.22-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2025-61726	LOW2.29	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.6	0.8% Theoretical Threat	Post-Exploit
CVE-2025-61728	LOW2.29	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.6	0.6% Theoretical Threat	Post-Exploit
CVE-2025-69421	LOW2.29	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl-fips-provider-latest 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.9% Theoretical Threat	Post-Exploit
CVE-2025-69421	LOW2.29	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.2.2-1.amzn2023.0.5	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl-libs 1:3.2.2-1.amzn2023.0.3 fixed in 1:3.5.5-1.amzn2023.0.4	0.9% Theoretical Threat	Post-Exploit
CVE-2026-3644	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4224	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3644	LOW2.29	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.5	0.4% Theoretical Threat	Post-Exploit
CVE-2026-21441	LOW2.29	python3-pip-wheel 21.3.1-2.amzn2023.0.14 fixed in 21.3.1-2.amzn2023.0.16	0.5% Theoretical Threat	Post-Exploit
CVE-2025-66418	LOW2.29	python3-pip-wheel 21.3.1-2.amzn2023.0.14 fixed in 21.3.1-2.amzn2023.0.15	0.5% Theoretical Threat	Post-Exploit
CVE-2025-66471	LOW2.29	python3-pip-wheel 21.3.1-2.amzn2023.0.14 fixed in 21.3.1-2.amzn2023.0.15	0.5% Theoretical Threat	Post-Exploit
CVE-2025-11468	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0865	LOW2.29	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2025-11468	LOW2.29	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0865	LOW2.29	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.5% Theoretical Threat	Post-Exploit
CVE-2026-1703	LOW1.99	python3-pip-wheel 21.3.1-2.amzn2023.0.14 fixed in 21.3.1-2.amzn2023.0.17	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-2297	LOW1.68	python3 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-2297	LOW1.68	python3-libs 3.9.25-1.amzn2023.0.3 fixed in 3.9.25-1.amzn2023.0.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39823	NONE0	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.3% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	libcap 2.73-1.amzn2023.0.5 fixed in 2.73-1.amzn2023.0.7	0.6% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.16.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.18.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.125.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.7.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-8149	NONE0	org.bouncycastle:bc-fips 2.1.2 No fix yet	0.2% Theoretical Threat	Not Applicable