Vulnerability Reportthanosio/thanos:main-2026-06-17-f59e922

thanosio/thanos:main-2026-06-17-f59e922

DIGESTsha256:ad74d4a159a46b1cea1949b81a6bba6e2d5df0ef785d3867e191323e6098c40b

Executive Summary

Threat ScoreSAFE• Pre-calculated threat score is 0, indicating no significant risk• All 22 exposed vulnerabilities have severity below 6.0 (max 5.95), and post-exploit findings are negligible (max 2.69)• Image is from a trusted, popular community publisher (thanosio) with 75M+ pulls and pinned by digest• No high-severity or critical findings in exposure or post-exploit analysis

0/100SAFE

ReputationPOPULAR COMMUNITY• High Reputation Community Image (75M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is safe for production use. While 22 low-severity vulnerabilities and 9 post-exploit findings exist, all have severity scores well below the threshold for exploitation, presenting no practical risk. The image is built from a reputable source and is pinned by digest, ensuring immutability and trust.

Vulnerabilities

Vulnerability Log

31 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.49.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34986	MEDIUM5.1	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42151	MEDIUM5.1	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-29181	MEDIUM5.1	go.opentelemetry.io/otel v1.39.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	golang.org/x/net v0.49.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42154	LOW2.29	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-40179	LOW1.87	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Post-Exploit
CVE-2026-44903	LOW1.87	github.com/prometheus/prometheus v0.309.1 fixed in 0.311.3	0.2% Theoretical Threat	Post-Exploit
CVE-2026-46598	LOW1.62	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.6 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.39.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.40.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable