Vulnerability Reportthanosio/thanos:v0.41.0

thanosio/thanos:v0.41.0

DIGESTsha256:cf3e9b292e4302ad4a4955b56379703aea39516607d382a57604a3d003c35d10

Executive Summary

Threat ScoreNEEDS ATTENTION• Image is from a trusted community publisher (thanosio) with high pull count and pinned by digest.• 39 exposed vulnerabilities detected, 2 with severity >=6.0 (CVE-2026-42154, CVE-2026-25679).• No post-exploit vulnerabilities with severity >=6.0; highest post-exploit severity is 2.69.• Both high-severity findings are denial-of-service, not remote code execution or data exposure.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (75M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The two high-severity vulnerabilities (CVE-2026-42154, CVE-2026-25679) are remotely exploitable denial-of-service flaws that could cause memory exhaustion or crash the service, but they do not enable unauthorized access or data compromise. Post-exploit risks are minimal with no issues above 2.69 severity. Given the image's strong reputation and the nature of the threats, production use is permissible with timely patching.

Vulnerabilities

Vulnerability Log

51 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42154	MEDIUM6.38	github.com/prometheus/prometheus v0.308.0 fixed in 0.311.3, 0.305.2	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-25679	MEDIUM6.38	stdlib v1.25.7 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.38.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.49.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-40179	MEDIUM5.18	github.com/prometheus/prometheus v0.308.0 fixed in 0.311.2-0.20260410083055-07c6232d159b	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44903	MEDIUM5.18	github.com/prometheus/prometheus v0.308.0 fixed in 0.311.3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-29181	MEDIUM5.1	go.opentelemetry.io/otel v1.38.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.25.7 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.25.7 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM4.14	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	LOW3.83	stdlib v1.25.7 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34986	LOW2.29	github.com/go-jose/go-jose/v4 v4.1.3 fixed in 4.1.4	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42151	LOW2.29	github.com/prometheus/prometheus v0.308.0 fixed in 0.311.3	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39829	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-39830	LOW2.29	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	golang.org/x/net v0.49.0 fixed in 0.53.0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-33811	LOW2.29	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-33814	LOW2.29	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42508	LOW2.26	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-46595	LOW2.17	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.25.7 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-2303	NONE0	go.mongodb.org/mongo-driver v1.17.4 fixed in 1.17.7	0.2% Theoretical Threat	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-24051	NONE0	go.opentelemetry.io/otel/sdk v1.38.0 fixed in 1.40.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.47.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.49.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.40.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.7 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.7 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.7 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable