This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The container has 24 exposed vulnerabilities, three of which (CVE-2026-42154, CVE-2026-29181, CVE-2026-33814) are denial-of-service weaknesses with severity 6.38. These are reachable via network but do not allow code execution or data breach. Post-exploit findings are low severity (max 2.69). The image is from a popular community publisher with high trust. No configuration-specific caveats apply to the top findings.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-42154 | MEDIUM6.38 | github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3, 0.305.2 | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-29181 | MEDIUM6.38 | go.opentelemetry.io/otel v1.39.0 fixed in 1.41.0 | 0.3% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-33814 | MEDIUM6.38 | golang.org/x/net v0.49.0 fixed in 0.53.0 | 0.6% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-39883 | MEDIUM5.95 | go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.43.0 | 0.2% Theoretical Threat | Directly Exposed |
| CVE-2026-39821 | MEDIUM5.58 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-42151 | MEDIUM5.1 | github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3 | 0.2% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-40179 | MEDIUM4.14 | github.com/prometheus/prometheus v0.309.1 fixed in 0.311.2-0.20260410083055-07c6232d159b | 0.2% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-44903 | MEDIUM4.14 | github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3 | 0.2% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-34986 | LOW3.83 | github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4 | 0.3% Theoretical Threat | Directly Exposed |
| CVE-2026-39828 | LOW2.69 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-39829 | LOW2.29 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-39830 | LOW2.29 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-42508 | LOW2.26 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-46595 | LOW2.17 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-46598 | LOW1.62 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-2303 | NONE0 | go.mongodb.org/mongo-driver v1.17.6 fixed in 1.17.7 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39882 | NONE0 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 fixed in 1.43.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-24051 | NONE0 | go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.40.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39827 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39835 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-46597 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39831 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39832 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39833 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-39834 | NONE0 | golang.org/x/crypto v0.47.0 fixed in 0.52.0 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-25680 | NONE0 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-25681 | NONE0 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-27136 | NONE0 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-42502 | NONE0 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-42506 | NONE0 | golang.org/x/net v0.49.0 fixed in 0.55.0 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-39824 | NONE0 | golang.org/x/sys v0.40.0 fixed in 0.44.0 | 0.1% Theoretical Threat | Not Applicable |