Vulnerability Reportprom/statsd-exporter:v0.29.0

prom/statsd-exporter:v0.29.0

DIGESTsha256:632f705804922d50c1c95ba8ff9c8c0cc18d4bbb0cc265dc4f9ae708271c95b3

Executive Summary

Threat ScoreNEEDS ATTENTION• One medium-severity CVE (CVE-2026-25679, severity 6.38) in Go stdlib URL parser enables denial of service via crafted IPv6 host literals.• Image is from popular community publisher (prom, 121M+ pulls) and pinned by digest, ensuring immutability.• 27 total exposed vulnerabilities; only 1 with severity >=6; majority are low severity.• No post-exploitation vulnerabilities with high severity detected.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (121M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The most notable issue is CVE-2026-25679, a medium-severity vulnerability in the Go stdlib URL parser that could allow a remote attacker to cause a denial of service by sending a specially crafted request to the exporter's HTTP endpoint. Upgrading the underlying Go runtime would fully mitigate this vulnerability. The remaining 26 exposed vulnerabilities are low severity and do not pose significant risk in this context.

Vulnerabilities

Vulnerability Log

44 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-25679	MEDIUM6.38	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.48.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32282	MEDIUM5.44	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32283	MEDIUM5.1	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32288	MEDIUM4.67	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27138	LOW3.15	stdlib v1.26.0 fixed in 1.26.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33810	LOW2.51	stdlib v1.26.0 fixed in 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	golang.org/x/net v0.48.0 fixed in 0.53.0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-27137	LOW2.29	stdlib v1.26.0 fixed in 1.26.1	0.4% Theoretical Threat	Post-Exploit
CVE-2026-32280	LOW2.29	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Post-Exploit
CVE-2026-32281	LOW2.29	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33811	LOW2.29	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32289	LOW1.87	stdlib v1.26.0 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Post-Exploit
CVE-2026-27142	LOW1.65	stdlib v1.26.0 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39826	LOW1.65	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39827	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.46.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.48.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.48.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.48.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.48.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.48.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.39.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.0 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.0 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable