This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit DNS cache poisoning (CVE-2026-45674, CVE-2026-47691) to redirect artifact downloads to malicious sources, or use HTTP request smuggling (CVE-2026-42581) to bypass security controls and access sensitive data. The vulnerabilities are in core Netty components (DNS resolver, HTTP codec) that are essential for Nexus operation, and no full mitigations exist without disabling critical functionality.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-45674 | HIGH8.5 | io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-47691 | HIGH8.5 | io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42581 | HIGH8.33 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.4% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42579 | HIGH7.73 | io.netty:netty-codec-dns 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.4% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42584 | HIGH7.73 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.3% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-22016 | MEDIUM6.38 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-34282 | MEDIUM6.38 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-22016 | MEDIUM6.38 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-34282 | MEDIUM6.38 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.5% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42585 | MEDIUM6.38 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.2% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-42587 | MEDIUM6.38 | io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-48043 | MEDIUM6.38 | io.netty:netty-codec-http2 4.2.12.Final fixed in 4.1.135.Final, 4.2.15.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-45416 | MEDIUM6.38 | io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-50010 | MEDIUM6.38 | io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45292 | MEDIUM6.38 | io.opentelemetry:opentelemetry-api 1.47.0 fixed in 1.62.0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-34182 | MEDIUM6.29 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-34182 | MEDIUM6.29 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45673 | MEDIUM5.78 | io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-41417 | MEDIUM5.52 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42580 | MEDIUM5.52 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-44249 | MEDIUM5.5 | io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-34181 | MEDIUM5.35 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42768 | MEDIUM5.35 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34181 | MEDIUM5.35 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-42768 | MEDIUM5.35 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-42578 | MEDIUM5.1 | io.netty:netty-handler-proxy 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42198 | MEDIUM5.1 | org.postgresql:postgresql 42.7.2 fixed in 42.7.11 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42764 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-42769 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42770 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-9076 | MEDIUM5.02 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42764 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.7% Theoretical Threat | Directly Exposed |
| CVE-2026-42769 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42770 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-9076 | MEDIUM5.02 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-7383 | MEDIUM4.67 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-7383 | MEDIUM4.67 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42766 | MEDIUM4.5 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42767 | MEDIUM4.5 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42766 | MEDIUM4.5 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.6% Theoretical Threat | Directly Exposed |
| CVE-2026-42767 | MEDIUM4.5 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-22013 | MEDIUM4.5 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-22021 | MEDIUM4.5 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-23865 | MEDIUM4.5 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-22013 | MEDIUM4.5 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-22021 | MEDIUM4.5 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-23865 | MEDIUM4.5 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-50020 | MEDIUM4.5 | io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-47244 | MEDIUM4.5 | io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-50560 | MEDIUM4.5 | io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-23903 | MEDIUM4.5 | org.apache.shiro:shiro-spring 1.13.0 fixed in 2.1.0 | 0.4% Theoretical Threat | Directly Exposed |
| CVE-2026-34180 | MEDIUM4.25 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-34180 | MEDIUM4.25 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Directly Exposed |
| CVE-2026-1225 | MEDIUM4.25 | ch.qos.logback:logback-core 1.5.19 fixed in 1.5.25 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-34182 | LOW3.77 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-1965 | LOW3.47 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-14819 | LOW3.47 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-1965 | LOW3.47 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-14819 | LOW3.47 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-45536 | LOW3.4 | io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45536 | LOW3.4 | io.netty:netty-transport-native-kqueue 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-3784 | LOW3.31 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-14524 | LOW3.31 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-3784 | LOW3.31 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2025-14524 | LOW3.31 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-3805 | LOW3.21 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2026-3805 | LOW3.21 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2026-34181 | LOW3.21 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-42768 | LOW3.21 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-45446 | LOW3.15 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-45446 | LOW3.15 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-22008 | LOW3.15 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-22018 | LOW3.15 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-22008 | LOW3.15 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-22018 | LOW3.15 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-42764 | LOW3.01 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.7% Theoretical Threat | Post-Exploit |
| CVE-2026-42769 | LOW3.01 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-42770 | LOW3.01 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-9076 | LOW3.01 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45447 | LOW2.92 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 1.4% Low-Moderate Risk | Post-Exploit |
| CVE-2026-45447 | LOW2.92 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 1.4% Low-Moderate Risk | Post-Exploit |
| CVE-2026-45447 | LOW2.92 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 1.4% Low-Moderate Risk | Post-Exploit |
| CVE-2026-3783 | LOW2.91 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-3783 | LOW2.91 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-7383 | LOW2.8 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45445 | LOW2.78 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45445 | LOW2.78 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45445 | LOW2.78 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22013 | LOW2.7 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22021 | LOW2.7 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-23865 | LOW2.7 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22013 | LOW2.7 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22021 | LOW2.7 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-23865 | LOW2.7 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22013 | LOW2.7 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22021 | LOW2.7 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-23865 | LOW2.7 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22013 | LOW2.7 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22021 | LOW2.7 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-23865 | LOW2.7 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-42766 | LOW2.7 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.6% Theoretical Threat | Post-Exploit |
| CVE-2026-42767 | LOW2.7 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-34180 | LOW2.55 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-22007 | LOW2.46 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-34268 | LOW2.46 | openjdk25-jre 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-22007 | LOW2.46 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-34268 | LOW2.46 | openjdk25-jre-headless 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2025-14017 | LOW2.45 | curl 8.17.0-r1 fixed in 8.19.0-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2025-14017 | LOW2.45 | libcurl 8.17.0-r1 fixed in 8.19.0-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-34183 | LOW2.29 | libcrypto3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-34183 | LOW2.29 | libssl3 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-22016 | LOW2.29 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34282 | LOW2.29 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22016 | LOW2.29 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34282 | LOW2.29 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22016 | LOW2.29 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34282 | LOW2.29 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22016 | LOW2.29 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-34282 | LOW2.29 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-34183 | LOW2.29 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-23901 | LOW2.12 | org.apache.shiro:shiro-core 1.13.0 fixed in 2.1.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-22008 | LOW1.89 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-22018 | LOW1.89 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22008 | LOW1.89 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-22018 | LOW1.89 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22008 | LOW1.89 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-22018 | LOW1.89 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-22008 | LOW1.89 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-22018 | LOW1.89 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-45446 | LOW1.89 | openssl 3.5.6-r0 fixed in 3.5.7-r0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-22007 | LOW1.48 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-34268 | LOW1.48 | openjdk25 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22007 | LOW1.48 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-34268 | LOW1.48 | openjdk25-demos 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22007 | LOW1.48 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-34268 | LOW1.48 | openjdk25-jdk 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-22007 | LOW1.48 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-34268 | LOW1.48 | openjdk25-jmods 25.0.2_p10-r1 fixed in 25.0.3_p9-r0 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-40930 | NONE0 | libpng 1.6.57-r0 fixed in 1.6.58-r1 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-42583 | NONE0 | io.netty:netty-codec-compression 4.2.12.Final fixed in 4.2.13.Final | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42577 | NONE0 | io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.13.Final | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-8149 | NONE0 | org.bouncycastle:bc-fips 2.1.2 No fix yet | 0.2% Theoretical Threat | Not Applicable |