Last scanned:
This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. CVE-2026-49268 is an LDAP injection vulnerability in Apache Shiro that could allow a remote attacker to bypass authentication and gain unauthorized access to the Nexus repository, but it only applies if the LDAP authentication module (DefaultLdapRealm) is enabled. Upgrading to Shiro 2.2.1 or 3.0.0-alpha-2, or disabling the LDAP realm, fully mitigates this risk. No other exploitable vulnerabilities were found in this image.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-49268 | MEDIUM6.18 | org.apache.shiro:shiro-core 1.13.0 fixed in 2.2.1, 3.0.0-alpha-2 | 0.5% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-43827 | MEDIUM4.42 | org.apache.shiro:shiro-core 1.13.0 fixed in 2.2.0, 3.0.0-alpha-2 | 0.4% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-43828 | MEDIUM4.42 | org.apache.shiro:shiro-web 1.13.0 fixed in 2.2.0, 3.0.0-alpha-2 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-2100 | LOW2.7 | p11-kit 0.25.5-r2 fixed in 0.26.2-r0 | 1.1% Low-Moderate Risk | Post-Exploit |
| CVE-2026-2100 | LOW2.7 | p11-kit-trust 0.25.5-r2 fixed in 0.26.2-r0 | 1.1% Low-Moderate Risk | Post-Exploit |
| CVE-2026-54515 | LOW2.7 | com.fasterxml.jackson.core:jackson-databind 2.22.0 fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-23901 | LOW2.12 | org.apache.shiro:shiro-core 1.13.0 fixed in 2.1.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-23903 | LOW1.62 | org.apache.shiro:shiro-spring 1.13.0 fixed in 2.1.0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-11856 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-8925 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8927 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-9079 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-10536 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-11352 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-11564 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-11586 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-12064 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8286 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8458 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8924 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8926 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-9080 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-9545 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-9547 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8932 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-9546 | NONE0 | curl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-11856 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-8925 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8927 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-9079 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-10536 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-11352 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-11564 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-11586 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-12064 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8286 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8458 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8924 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8926 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-9080 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-9545 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-9547 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-8932 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.1% Theoretical Threat | Not Applicable |
| CVE-2026-9546 | NONE0 | libcurl 8.20.0-r1 fixed in 8.21.0-r0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-9828 | NONE0 | ch.qos.logback:logback-core 1.5.32 fixed in 1.5.33 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-8149 | NONE0 | org.bouncycastle:bc-fips 2.1.2 No fix yet | 0.2% Theoretical Threat | Not Applicable |
Want to check another image? Run a full scan with the Docker Security Scanner.