Vulnerability Reportsonatype/nexus3:3.93.2-alpine

sonatype/nexus3:3.93.2-alpinesonatype/nexus3:3.93.2
DIGESTsha256:c37df0fbbfb5a7cda4efffe1ff9402cad671f0bc11df0ebbfa5043049084f227

Executive Summary

Last scanned:

Threat Score
25/100NEEDS ATTENTION
Reputation
TRUSTED

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. CVE-2026-49268 is an LDAP injection vulnerability in Apache Shiro that could allow a remote attacker to bypass authentication and gain unauthorized access to the Nexus repository, but it only applies if the LDAP authentication module (DefaultLdapRealm) is enabled. Upgrading to Shiro 2.2.1 or 3.0.0-alpha-2, or disabling the LDAP realm, fully mitigates this risk. No other exploitable vulnerabilities were found in this image.

Vulnerabilities

Vulnerability Log

46 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-49268MEDIUM6.18
org.apache.shiro:shiro-core
1.13.0
fixed in 2.2.1, 3.0.0-alpha-2
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-43827MEDIUM4.42
org.apache.shiro:shiro-core
1.13.0
fixed in 2.2.0, 3.0.0-alpha-2
0.4%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-43828MEDIUM4.42
org.apache.shiro:shiro-web
1.13.0
fixed in 2.2.0, 3.0.0-alpha-2
0.3%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-2100LOW2.7
p11-kit
0.25.5-r2
fixed in 0.26.2-r0
1.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-2100LOW2.7
p11-kit-trust
0.25.5-r2
fixed in 0.26.2-r0
1.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-54515LOW2.7
com.fasterxml.jackson.core:jackson-databind
2.22.0
fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-23901LOW2.12
org.apache.shiro:shiro-core
1.13.0
fixed in 2.1.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-23903LOW1.62
org.apache.shiro:shiro-spring
1.13.0
fixed in 2.1.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-11856NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-8925NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8927NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-9079NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-10536NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-11352NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-11564NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-11586NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-12064NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8286NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8458NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8924NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8926NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-9080NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-9545NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-9547NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8932NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-9546NONE0
curl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-11856NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-8925NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8927NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-9079NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-10536NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-11352NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.3%
Theoretical Threat
Not Applicable
CVE-2026-11564NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-11586NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-12064NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8286NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8458NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8924NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8926NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-9080NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-9545NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-9547NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-8932NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.1%
Theoretical Threat
Not Applicable
CVE-2026-9546NONE0
libcurl
8.20.0-r1
fixed in 8.21.0-r0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-9828NONE0
ch.qos.logback:logback-core
1.5.32
fixed in 1.5.33
0.4%
Theoretical Threat
Not Applicable
CVE-2026-8149NONE0
org.bouncycastle:bc-fips
2.1.2
No fix yet
0.2%
Theoretical Threat
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.