Last scanned:
This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. While 43 vulnerabilities are present, only one (CVE-2026-1525) has a medium severity score of 6.66 and it only applies if the application passes user-controlled header names to the undici HTTP client. In typical configurations, the risk is low. Disabling user-controlled headers or enforcing header case normalization would fully eliminate this vulnerability.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-1525 | MEDIUM6.66 | undici 6.23.0 fixed in 6.24.0, 7.24.0 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33671 | MEDIUM5.52 | picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34181 | MEDIUM5.35 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42768 | MEDIUM5.35 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34181 | MEDIUM5.35 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42768 | MEDIUM5.35 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2017-16137 | MEDIUM5.3 | debug 4.1.1 fixed in 2.6.9, 3.1.0, 3.2.7, 4.3.1 | 2.8% Low-Moderate Risk | Directly Exposed |
| CVE-2026-42338 | MEDIUM5.18 | ip-address 10.1.0 fixed in 10.1.1 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-33750 | MEDIUM5.1 | brace-expansion 2.0.2 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-33750 | MEDIUM5.1 | brace-expansion 5.0.4 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-45149 | MEDIUM5.1 | brace-expansion 5.0.4 fixed in 5.0.6 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-26996 | MEDIUM5.1 | minimatch 10.1.1 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42764 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-42769 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42770 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-9076 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42764 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-42769 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42770 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-9076 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-27903 | MEDIUM5.02 | minimatch 10.1.1 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-9679 | MEDIUM5.02 | undici 6.23.0 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-7383 | MEDIUM4.67 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-7383 | MEDIUM4.67 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-42766 | MEDIUM4.5 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42767 | MEDIUM4.5 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42766 | MEDIUM4.5 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42767 | MEDIUM4.5 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-54285 | MEDIUM4.5 | @opentelemetry/core 2.7.1 fixed in 2.8.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-53550 | MEDIUM4.5 | js-yaml 4.1.1 fixed in 4.2.0, 3.15.0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-33672 | MEDIUM4.5 | picomatch 4.0.3 fixed in 4.0.4, 3.0.2, 2.3.2 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-27904 | MEDIUM4.42 | minimatch 10.1.1 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-1527 | MEDIUM4.42 | undici 6.23.0 fixed in 6.24.0, 7.24.0 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-34180 | MEDIUM4.25 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-34180 | MEDIUM4.25 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-29786 | LOW3.21 | tar 7.5.9 fixed in 7.5.10 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-45446 | LOW3.15 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45446 | LOW3.15 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2024-47764 | LOW3.15 | cookie 0.4.2 fixed in 0.7.0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-11525 | LOW3.15 | undici 6.23.0 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-6733 | LOW3.15 | undici 6.23.0 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45447 | LOW2.92 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2026-45447 | LOW2.92 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 2.7% Low-Moderate Risk | Post-Exploit |
| CVE-2026-53655 | LOW2.8 | tar 7.5.11 fixed in 7.5.16 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-31802 | LOW2.8 | tar 7.5.9 fixed in 7.5.11 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-53655 | LOW2.8 | tar 7.5.9 fixed in 7.5.16 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-45445 | LOW2.78 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45445 | LOW2.78 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-1526 | LOW2.7 | undici 6.23.0 fixed in 6.24.0, 7.24.0 | 1.1% Low-Moderate Risk | Post-Exploit |
| CVE-2026-34183 | LOW2.29 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-34183 | LOW2.29 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-33151 | LOW2.29 | socket.io-parser 3.3.4 fixed in 3.3.5, 3.4.4, 4.2.6 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-33151 | LOW2.29 | socket.io-parser 3.4.3 fixed in 3.3.5, 3.4.4, 4.2.6 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-12151 | LOW2.29 | undici 6.23.0 fixed in 6.27.0, 7.28.0, 8.5.0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-1528 | LOW2.29 | undici 6.23.0 fixed in 6.24.0, 7.24.0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-2229 | LOW2.29 | undici 6.23.0 fixed in 6.24.0, 7.24.0 | 0.9% Theoretical Threat | Post-Exploit |
| CVE-2026-48779 | LOW2.29 | ws 6.2.3 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-48779 | LOW2.29 | ws 7.5.10 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0 | 0.8% Theoretical Threat | Post-Exploit |
| CVE-2026-34182 | LOW2.26 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-34182 | LOW2.26 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-48758 | NONE0 | @sigstore/core 2.0.0 fixed in 3.2.1 | — | Not Applicable |
| CVE-2024-36751 | NONE0 | parseuri 0.0.6 fixed in 2.0.0 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-48815 | NONE0 | sigstore 3.1.0 fixed in 4.1.1 | — | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.