Vulnerability Reportprom/alertmanager:v0.32.0

prom/alertmanager:v0.32.0

DIGESTsha256:58e117eabccebbff04e6643a3432d6315a2cc3a8c24ab5849bc628886bf08857

Executive Summary

Threat ScoreNEEDS ATTENTION• One exposed vulnerability CVE-2026-39820 with severity 6.38 (medium-high) affecting stdlib, reachable via crafted alert inputs, leading to denial-of-service.• High reputation community image (483M+ pulls), pinned by digest, and trusted publisher (prom).• No post-exploit-only vulnerabilities of note; post_total is 2 with max severity 2.29.• Overall 11 exposed vulnerabilities, but only one exceeds severity 6.0, and none exceed 7.0.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (483M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The primary risk is a denial-of-service condition via crafted alert fields that trigger excessive CPU and memory usage, as described in CVE-2026-39820. Since Alertmanager processes external alert data, this vulnerability is relevant. Patching the stdlib package to a newer version would fully eliminate this issue.

Vulnerabilities

Vulnerability Log

13 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-39820	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.41.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39826	LOW3.67	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable