Vulnerability Reportvespaengine/vespa:8.706.52

vespaengine/vespa:8.706.52

DIGESTsha256:89365f7a1dd1f53aa44541ae27c907ae5ecdf96213e6826a27e2a27a9cb1ee6b

Executive Summary

Threat ScoreNEEDS ATTENTION• High reputation community image (14M+ pulls, pinned by digest) from trusted publisher.• Two exposed surface vulnerabilities (CVE-2026-45447, CVE-2026-45186) with severity between 6.0 and 6.9.• CVE-2026-45186 (libexpat) is highly relevant as Vespa likely processes XML, enabling denial of service.• No exposed vulnerabilities with severity >= 7.0.• No notable post-exploit vulnerabilities (max post severity 3.98).• Threat score of 25 indicates low overall risk.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (14M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. The most notable vulnerability is CVE-2026-45186 in libexpat, which could allow a denial of service if the container processes crafted XML input; upgrading libexpat to 2.8.1 or later fully mitigates this. CVE-2026-45447 in openssl-libs requires PKCS#7 message processing, which is not typical for Vespa. The remaining vulnerabilities are lower severity and unlikely to be exploited in this context.

Vulnerabilities

Vulnerability Log

28 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	MEDIUM6.48	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45186	MEDIUM6.38	expat 2.5.0-1.el8_10 fixed in 2.5.0-2.el8_10	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-34459	MEDIUM5.5	libxml2 2.9.7-21.el8_10.4 fixed in 2.9.7-21.el8_10.5	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-35568	MEDIUM4.84	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.0	0.1% Theoretical Threat	Directly Exposed
CVE-2024-4741	MEDIUM4.48	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	2.9% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-31787	LOW3.98	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31669	LOW3.82	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.4% Theoretical Threat	Post-Exploit
CVE-2026-43110	LOW3.82	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31786	LOW3.62	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-46056	LOW3.62	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-35177	LOW3.62	vim-minimal 2:8.0.1763-22.el8_10.3 fixed in 2:8.0.1763-23.el8_10	0.1% Theoretical Threat	Post-Exploit
CVE-2026-43329	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.1% Theoretical Threat	Post-Exploit
CVE-2026-46125	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-46152	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-4741	LOW2.02	openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	2.9% Low-Moderate Risk	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-34237	NONE0	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.1, 1.1.1, 0.18.3	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable