Vulnerability Reportsonatype/nexus3:3.90.3

sonatype/nexus3:3.90.3-alpinesonatype/nexus3:3.90.3

DIGESTsha256:a7a46e6493e9434b295f294241568b122778c9c3ea61e808e40f4944aab580e3

Executive Summary

Threat ScoreDANGEROUS• 8 high-severity vulnerabilities (CVSS >=7) expose the container to critical attacks.• CVE-2026-45674 and CVE-2026-47691 allow DNS poisoning, potentially redirecting artifact fetches to attacker-controlled servers.• CVE-2026-42581 enables HTTP request smuggling, bypassing security controls and enabling cache poisoning.• Image is from a trusted publisher (sonatype), but the volume and severity of exposed vulnerabilities outweigh reputation.

100/100DANGEROUS

ReputationVERIFIED• Verified Publisher (Trusted Vendor)• Pinned by digest (Immutable)

TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit DNS poisoning (CVE-2026-45674, CVE-2026-47691) to redirect artifact resolutions, HTTP smuggling (CVE-2026-42581) to bypass authentication, or LDAP injection (CVE-2026-49268) to gain unauthorized access. Note: CVE-2026-49268 only applies if LDAP authentication is enabled, which is a common configuration for Nexus.

Vulnerabilities

Vulnerability Log

192 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45674	HIGH8.5	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-47691	HIGH8.5	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42579	HIGH7.73	io.netty:netty-codec-dns 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42584	HIGH7.73	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-49268	HIGH7.73	org.apache.shiro:shiro-core 1.13.0 fixed in 2.2.1, 3.0.0-alpha-2	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 12.0.17 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.5.1 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-31789	MEDIUM6.66	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-31789	MEDIUM6.66	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45447	MEDIUM6.48	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45447	MEDIUM6.48	libssl3 3.5.5-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-41254	MEDIUM6.38	lcms2 2.17-r0 fixed in 2.19-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-27135	MEDIUM6.38	nghttp2-libs 1.68.0-r0 fixed in 1.68.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22016	MEDIUM6.38	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-34282	MEDIUM6.38	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22016	MEDIUM6.38	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-22016	MEDIUM6.38	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-22016	MEDIUM6.38	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34282	MEDIUM6.38	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22016	MEDIUM6.38	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34282	MEDIUM6.38	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.132.Final, 4.2.10.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.132.Final, 4.2.11.Final	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.1.135.Final, 4.2.15.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45292	MEDIUM6.38	io.opentelemetry:opentelemetry-api 1.47.0 fixed in 1.62.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-3505	MEDIUM6.38	org.bouncycastle:bcpg-jdk15to18 1.81 fixed in 1.84	0.4% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk15to18 1.81 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.81 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.2 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 3.3.11 fixed in 4.0.6, 3.5.14	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk15to18 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 12.0.17 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 6.5.6 fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22013	MEDIUM4.5	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22021	MEDIUM4.5	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-23865	MEDIUM4.5	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22013	MEDIUM4.5	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22021	MEDIUM4.5	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-23865	MEDIUM4.5	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22013	MEDIUM4.5	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22021	MEDIUM4.5	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-23865	MEDIUM4.5	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-23903	MEDIUM4.5	org.apache.shiro:shiro-spring 1.13.0 fixed in 2.1.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-47554	MEDIUM4.3	commons-io:commons-io 2.8.0 fixed in 2.14.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.19 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22751	MEDIUM4.08	org.springframework.security:spring-security-core 6.5.6 fixed in 6.5.10, 7.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2026-34282	LOW3.82	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34282	LOW3.82	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34282	LOW3.82	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW3.82	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW3.77	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34757	LOW3.74	libpng 1.6.56-r0 fixed in 1.6.57-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-1965	LOW3.47	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW3.47	curl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-1965	LOW3.47	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14819	LOW3.47	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.9.Final fixed in 4.2.15.Final, 4.1.135.Final	0.1% Theoretical Threat	Directly Exposed
CVE-2026-3784	LOW3.31	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW3.31	curl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-3784	LOW3.31	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-14524	LOW3.31	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-2673	LOW3.31	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	curl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-3805	LOW3.21	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22018	LOW3.15	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22018	LOW3.15	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22018	LOW3.15	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 6.5.6 fixed in 6.5.10, 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.5-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-3783	LOW2.91	curl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-3783	LOW2.91	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22013	LOW2.7	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22021	LOW2.7	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23865	LOW2.7	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22013	LOW2.7	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22021	LOW2.7	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23865	LOW2.7	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22013	LOW2.7	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22021	LOW2.7	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23865	LOW2.7	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-22007	LOW2.46	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-34268	LOW2.46	openjdk21 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22007	LOW2.46	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-34268	LOW2.46	openjdk21-jre 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22007	LOW2.46	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-34268	LOW2.46	openjdk21-jre-headless 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-14017	LOW2.45	curl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2025-14017	LOW2.45	libcurl 8.17.0-r1 fixed in 8.19.0-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-22016	LOW2.29	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-23901	LOW2.12	org.apache.shiro:shiro-core 1.13.0 fixed in 2.1.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22018	LOW1.89	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22018	LOW1.89	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-22018	LOW1.89	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-22007	LOW1.48	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34268	LOW1.48	openjdk21-demos 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22007	LOW1.48	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34268	LOW1.48	openjdk21-jdk 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22007	LOW1.48	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-34268	LOW1.48	openjdk21-jmods 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Post-Exploit
CVE-2026-40200	NONE0	musl-utils 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Not Applicable
CVE-2026-22016	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-34282	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-6042	NONE0	musl-utils 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Not Applicable
CVE-2026-22013	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-22021	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-23865	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Not Applicable
CVE-2026-22018	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.3% Theoretical Threat	Not Applicable
CVE-2026-22007	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Not Applicable
CVE-2026-34268	NONE0	openjdk21-doc 21.0.10_p7-r0 fixed in 21.0.11_p10-r0	0.1% Theoretical Threat	Not Applicable
CVE-2026-40930	NONE0	libpng 1.6.56-r0 fixed in 1.6.58-r1	0.2% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.20.1 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.9.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-8149	NONE0	org.bouncycastle:bc-fips 2.1.2 No fix yet	0.2% Theoretical Threat	Not Applicable