Vulnerability Reportsolr:latest

Name: solr:10 Security Vulnerability Report
Creator: BaseImage
Keywords: solr:10, Docker security, vulnerability scan, CVE, container security, SBOM

solr:latestsolr:10.0.0solr:10.0solr:10

DIGESTsha256:79b08a5fabda917e6d840c384485a7c5d0dcfe3a0ebcb5bf65c30278c3b53ade

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution, bypass authentication, smuggle requests to bypass security controls, or cause a denial of service. Notably, critical vulnerabilities like `CVE-2026-42581` (request smuggling) and `CVE-2025-48734` (potential remote code execution) are present in highly relevant components. The authentication bypass vulnerability (`CVE-2026-42010`) specifically applies if GnuTLS is configured with RSA-PSK authentication, and `CVE-2025-48734` is exploitable if untrusted input is processed by vulnerable `commons-beanutils` methods. The combination of numerous high-severity flaws and severe potential consequences necessitates immediate remediation and avoiding production use.

Threat Score

100/100

DANGEROUS

Multiple critical and high-severity vulnerabilities are present, with a maximum exposed severity of 9.8 and 10 vulnerabilities rated >= 7.0.
Critical consequences identified include potential remote code execution (via CVE-2025-48734), authentication bypass (CVE-2026-42010), request smuggling (CVE-2026-42581, CVE-2026-2332), and denial of service (CVE-2026-42587).
Key components like Netty (HTTP processing), Jetty (HTTP server), and GnuTLS (TLS validation) are affected by these high-impact vulnerabilities.
The image has a significant number of exposed vulnerabilities, totaling 73, with 32 having a severity score of 6.0 or higher.

Reputation

TRUSTED

Docker Official

OFFICIAL

Official Docker Hub Image
Pinned by digest (Immutable)

BaseImage/

solr:latest

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

86 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	CRITICAL9.8	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-42013	HIGH8.2	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-42010	HIGH7.84	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 12.0.27 fixed in 12.1.7, 12.0.33	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	HIGH7.5	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-42585	HIGH7.5	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2025-48734	HIGH7.48	commons-beanutils:commons-beanutils 1.9.4 fixed in 1.11.0	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42011	HIGH7.4	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-42584	HIGH7.28	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-42012	HIGH7.1	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2026-41417	MEDIUM6.5	io.netty:netty-codec-http 4.2.6.Final fixed in 4.1.133.Final, 4.2.13.Final	—	Directly Exposed
CVE-2026-42580	MEDIUM6.5	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly Exposed
CVE-2026-41989	MEDIUM6.38	libgcrypt20 1.10.3-2build1 fixed in 1.10.3-2ubuntu0.1	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM6.38	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.grpc:grpc-netty-shaded 1.65.1 fixed in 1.75.0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.6.Final fixed in 4.1.132.Final, 4.2.10.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.6.Final fixed in 4.1.132.Final, 4.2.11.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34479	MEDIUM6.38	org.apache.logging.log4j:log4j-1.2-api 2.25.3 fixed in 2.25.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34478	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34481	MEDIUM6.38	org.apache.logging.log4j:log4j-layout-template-json 2.25.3 fixed in 2.25.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40682	MEDIUM6.38	org.apache.opennlp:opennlp-tools 2.5.6 fixed in 2.5.9, 3.0.0-M3	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42027	MEDIUM6.38	org.apache.opennlp:opennlp-tools 2.5.6 fixed in 2.5.9, 3.0.0-M3	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42440	MEDIUM6.38	org.apache.opennlp:opennlp-tools 2.5.6 fixed in 2.5.9, 3.0.0-M3	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-24308	MEDIUM6.38	org.apache.zookeeper:zookeeper 3.9.4 fixed in 3.9.5, 3.8.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-1605	MEDIUM6.38	org.eclipse.jetty:jetty-server 12.0.27 fixed in 12.1.6, 12.0.32	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-3833	MEDIUM6.29	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-24281	MEDIUM6.29	org.apache.zookeeper:zookeeper 3.9.4 fixed in 3.8.6, 3.9.5	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6	io.netty:netty-codec-http2 4.2.6.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-42578	MEDIUM6	io.netty:netty-handler-proxy 4.2.6.Final fixed in 4.1.133.Final, 4.2.13.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-45292	MEDIUM6	io.opentelemetry:opentelemetry-api 1.56.0 fixed in 1.62.0	—	Directly ExposedContext importance: MEDIUM
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.9.1 fixed in 3.9.2, 4.0.2, 4.1.2	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.2.6.Final fixed in 4.2.8.Final, 4.1.129.Final	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 12.0.27 fixed in 12.0.31, 12.1.5	0.1% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40226	MEDIUM5.44	libsystemd0 255.4-1ubuntu8.15 fixed in 255.4-1ubuntu8.16	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40226	MEDIUM5.44	libudev1 255.4-1ubuntu8.15 fixed in 255.4-1ubuntu8.16	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM5.3	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2024-2236	MEDIUM5.02	libgcrypt20 1.10.3-2build1 No fix yet	0.7% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.1% Theoretical Threat	Directly Exposed
CVE-2026-5260	MEDIUM4.92	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2025-66382	MEDIUM4.67	libexpat1 2.6.1-2ubuntu0.4 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33845	MEDIUM4.64	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM4.5	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	liblzma5 5.6.1+really5.4.5-1ubuntu0.2 fixed in 5.6.1+really5.4.5-1ubuntu0.3	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libblkid1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libmount1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libsmartcols1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libuuid1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.7	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2026-4438	LOW3.4	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-3832	LOW3.15	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-45582	LOW2.86	tar 1.35+dfsg-3build1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-5704	LOW2.8	tar 1.35+dfsg-3build1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-40228	LOW2.8	libsystemd0 255.4-1ubuntu8.15 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40228	LOW2.8	libudev1 255.4-1ubuntu8.15 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	LOW2.4	bsdutils 1:2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	mount 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	util-linux 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW2.16	login 1:4.13+dfsg1-4ubuntu3.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2024-56433	LOW2.16	passwd 1:4.13+dfsg1-4ubuntu3.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2021-31879	LOW1.87	wget 1.21.4-1ubuntu4.1 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4437	NONE0	locales 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-6238	NONE0	locales 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-5435	NONE0	locales 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-4046	NONE0	locales 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-4438	NONE0	locales 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42014	NONE0	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.20.0 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.6.Final fixed in 4.2.13.Final	—	Not Applicable
CVE-2026-47244	NONE0	io.netty:netty-codec-http2 4.2.6.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-44249	NONE0	io.netty:netty-handler 4.2.6.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45416	NONE0	io.netty:netty-handler 4.2.6.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.6.Final fixed in 4.2.13.Final	—	Not Applicable
CVE-2026-45536	NONE0	io.netty:netty-transport-native-epoll 4.2.6.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.9.1 fixed in 3.9.2, 4.0.1	0.1% Theoretical Threat	Not Applicable