This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could cause denial of service by sending crafted HTTP requests with excessive query parameters or invalid IPv6 host literals, and could bypass TLS certificate validation if the server's TLS configuration is mutated between handshakes—a non-default scenario. While the image is from a trusted community and pinned by digest, the high number of exposed vulnerabilities (63 total, 6 with severity ≥6) increases the attack surface for internet-facing deployments. Disabling TLS session resumption or restricting inbound HTTP traffic could mitigate some risks, but not all findings are easily compensated.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-68121 | MEDIUM6.8 | stdlib v1.23.6 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3 | 0.8% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2025-61726 | MEDIUM6.38 | stdlib v1.23.6 fixed in 1.24.12, 1.25.6 | 0.8% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-25679 | MEDIUM6.38 | stdlib v1.23.6 fixed in 1.25.8, 1.26.1 | 0.5% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-39836 | MEDIUM6.38 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42508 | MEDIUM6.29 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-46595 | MEDIUM6.03 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-47907 | MEDIUM5.95 | stdlib v1.23.6 fixed in 1.23.12, 1.24.6 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-4673 | MEDIUM5.78 | stdlib v1.23.6 fixed in 1.23.10, 1.24.4 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-22872 | MEDIUM5.52 | golang.org/x/net v0.33.0 fixed in 0.38.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-47906 | MEDIUM5.52 | stdlib v1.23.6 fixed in 1.23.12, 1.24.6 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-61727 | MEDIUM5.52 | stdlib v1.23.6 fixed in 1.24.11, 1.25.5 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-32282 | MEDIUM5.44 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-32289 | MEDIUM5.18 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-61729 | MEDIUM5.1 | stdlib v1.23.6 fixed in 1.24.11, 1.25.5 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-32280 | MEDIUM5.1 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-32281 | MEDIUM5.1 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-32283 | MEDIUM5.1 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33811 | MEDIUM5.1 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-32288 | MEDIUM4.67 | stdlib v1.23.6 fixed in 1.25.9, 1.26.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-22871 | MEDIUM4.59 | stdlib v1.23.6 fixed in 1.23.8, 1.24.2 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-27142 | MEDIUM4.59 | stdlib v1.23.6 fixed in 1.25.8, 1.26.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-39826 | MEDIUM4.59 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-47914 | MEDIUM4.5 | golang.org/x/crypto v0.31.0 fixed in 0.45.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-58181 | MEDIUM4.5 | golang.org/x/crypto v0.31.0 fixed in 0.45.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-46598 | MEDIUM4.5 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-47911 | MEDIUM4.5 | golang.org/x/net v0.33.0 fixed in 0.45.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-58190 | MEDIUM4.5 | golang.org/x/net v0.33.0 fixed in 0.45.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-22873 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.23.9, 1.24.3 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2025-47912 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-58185 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-58187 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.9, 1.25.3 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-58188 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-58189 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-61723 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-61724 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2025-61725 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2025-61730 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.12, 1.25.6 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42507 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.25.11, 1.26.4 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-58186 | MEDIUM4.5 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-39821 | MEDIUM4.18 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2025-22870 | LOW3.74 | golang.org/x/net v0.33.0 fixed in 0.36.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2025-22870 | LOW3.74 | stdlib v1.23.6 fixed in 1.23.7, 1.24.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-26958 | LOW3.15 | filippo.io/edwards25519 v1.1.0 fixed in 1.1.1 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-39828 | LOW2.69 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2025-22869 | LOW2.29 | golang.org/x/crypto v0.31.0 fixed in 0.35.0 | 0.9% Theoretical Threat | Post-Exploit |
| CVE-2025-47913 | LOW2.29 | golang.org/x/crypto v0.31.0 fixed in 0.43.0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-39829 | LOW2.29 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-39830 | LOW2.29 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-33814 | LOW2.29 | golang.org/x/net v0.33.0 fixed in 0.53.0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2025-22868 | LOW2.29 | golang.org/x/oauth2 v0.24.0 fixed in 0.27.0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-33814 | LOW2.29 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-39820 | LOW2.29 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2025-58183 | LOW2.29 | stdlib v1.23.6 fixed in 1.24.8, 1.25.2 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2025-61728 | LOW2.29 | stdlib v1.23.6 fixed in 1.24.12, 1.25.6 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-27139 | LOW2.12 | stdlib v1.23.6 fixed in 1.25.8, 1.26.1 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-39827 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39835 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-46597 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39831 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39832 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39833 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39834 | NONE0 | golang.org/x/crypto v0.31.0 fixed in 0.52.0 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-25680 | NONE0 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-25681 | NONE0 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-27136 | NONE0 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-42502 | NONE0 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-42506 | NONE0 | golang.org/x/net v0.33.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39824 | NONE0 | golang.org/x/sys v0.28.0 fixed in 0.44.0 | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-27145 | NONE0 | stdlib v1.23.6 fixed in 1.25.11, 1.26.4 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39823 | NONE0 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39825 | NONE0 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42499 | NONE0 | stdlib v1.23.6 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-42504 | NONE0 | stdlib v1.23.6 fixed in 1.25.11, 1.26.4 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2025-0913 | NONE0 | stdlib v1.23.6 fixed in 1.23.10, 1.24.4 | 0.2% Theoretical Threat | Not Applicable |