Skip to content

Vulnerabilities

All container images are scanned with Grype against the latest vulnerability database. Scans run weekly (Monday 06:00 UTC) and on every pre-release build. Known false positives are suppressed via per-image VEX statements.

SeverityCount
Critical8
High38
Medium21
Low3
Negligible0
Scanned 7 of 7 images.

Methodology

  1. SBOMs are extracted from OCI attestations attached to each container image
  2. Grype scans each SBOM against the latest vulnerability database
  3. Known false positives are suppressed via per-image VEX statements — the VEX status column shows the triage decision and justification
  4. Remaining findings are triaged per the remediation SLA

VEX files follow the OpenVEX v0.2.0 specification and serve dual purpose:

  1. Compliance evidence — auditable record of triage decisions
  2. Scan suppression — Grype consumes them via --vex to suppress known not-affected findings

VEX Assessments

125 VEX assessments: 114 not affected (suppressed from scan), 11 affected (shown in findings with context).

All VEX assessments (125)
CVEImageStatusJustification / Action
CVE-2019-1010022postgresnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug with no real threat. Requires a pre-existing stack buffer overflow to exploit, making the bypass academic. No fix will be issued. References: …
CVE-2026-2673postgresaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2 — no PR or update request exists yet as of 2026-04-04. Reduced severity in our …
CVE-2023-4039postgresnot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects code generated for AArch64. Our images are built exclusively for x86_64 where the stack protector works correctly. GCC's …
CVE-2019-1010023postgresnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires attacker-controlled data in specific memory layout — prerequisite conditions do not exist in a normal PostgreSQL deployment. No fix will be issued. References: - …
CVE-2019-1010024postgresnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. ASLR bypass via /proc/self/maps requires local access to read the process memory map; the container does not expose this to external users. This is an OS information leak, …
CVE-2019-1010025postgresnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. The __abort_msg symbol can leak heap addresses only to a local attacker who already has access to the process. No remote exploitation path. No fix will be issued. …
CVE-2010-4756postgresnot_affectedvulnerable_code_not_in_execute_path
The glob resource exhaustion requires an attacker to supply crafted glob patterns to a program that passes them to glob(). PostgreSQL does not use glob() on user-supplied input. Ancient CVE from 2010 …
CVE-2025-15281postgresnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861postgresnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915postgresnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046postgresnot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437postgresaffected
PostgreSQL uses getnameinfo() for reverse DNS lookups in hostname-based pg_hba.conf authentication. On glibc, getnameinfo routes through the same NSS DNS backend as gethostbyaddr. A crafted DNS …
CVE-2026-4438postgresnot_affectedvulnerable_code_not_in_execute_path
PostgreSQL uses getaddrinfo for name resolution, not the deprecated gethostbyaddr. The vulnerable code path is not exercised. No upstream fix yet (affects through glibc 2.43).
CVE-2024-58251postgresnot_affectedvulnerable_code_not_present
The netstat applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and …
CVE-2025-46394postgresnot_affectedvulnerable_code_not_present
The tar applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2025-60876postgresnot_affectedvulnerable_code_not_present
The wget applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2019-1010022redisnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug with no real threat. Requires a pre-existing stack buffer overflow to exploit. No fix will be issued. References: - …
CVE-2019-1010023redisnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010023 (Debian: unimportant)
CVE-2019-1010024redisnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires local access to /proc/self/maps. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010024 (Debian: unimportant)
CVE-2019-1010025redisnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No remote exploitation path. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010025 (Debian: unimportant)
CVE-2010-4756redisnot_affectedvulnerable_code_not_in_execute_path
Redis does not use glob() on user-supplied input. Ancient CVE from 2010, no upstream fix planned. References: - https://security-tracker.debian.org/tracker/CVE-2010-4756 (Debian: unimportant)
CVE-2026-2673redisaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity: Redis is accessed only within the cluster network and does not …
CVE-2023-4039redisnot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects AArch64 code generation. Our images are built exclusively for x86_64. GCC's AArch64 backend is present but not exercised. …
CVE-2025-15281redisnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861redisnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915redisnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046redisnot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437redisnot_affectedvulnerable_code_not_in_execute_path
Redis uses getaddrinfo for forward resolution and does not perform reverse DNS lookups in its default configuration. Sentinel/Cluster node discovery uses forward DNS only. No upstream fix yet (affects …
CVE-2026-4438redisnot_affectedvulnerable_code_not_in_execute_path
Redis uses getaddrinfo, not the deprecated gethostbyaddr. No upstream fix yet (affects through glibc 2.43).
CVE-2019-1010022minionot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug with no real threat. Requires a pre-existing stack buffer overflow to exploit. No fix will be issued. References: - …
CVE-2019-1010023minionot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010023 (Debian: unimportant)
CVE-2019-1010024minionot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires local access to /proc/self/maps. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010024 (Debian: unimportant)
CVE-2019-1010025minionot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No remote exploitation path. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010025 (Debian: unimportant)
CVE-2010-4756minionot_affectedvulnerable_code_not_in_execute_path
MinIO does not use glob() on user-supplied input. Ancient CVE from 2010, no upstream fix planned. References: - https://security-tracker.debian.org/tracker/CVE-2010-4756 (Debian: unimportant)
CVE-2026-2673minioaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity: MinIO is accessed only within the cluster network and does not …
CVE-2023-4039minionot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects AArch64 code generation. Our images are built exclusively for x86_64. GCC's AArch64 backend is present but not exercised. …
CVE-2025-15281minionot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861minionot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915minionot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046minionot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437minionot_affectedvulnerable_code_not_in_execute_path
MinIO is a statically-linked Go binary that uses Go's pure-Go DNS resolver by default, bypassing glibc's gethostbyaddr entirely. No upstream fix yet (affects through glibc 2.43).
CVE-2026-4438minionot_affectedvulnerable_code_not_in_execute_path
MinIO (Go binary) uses Go's net package, not glibc's gethostbyaddr. No upstream fix yet (affects through glibc 2.43).
CVE-2024-58251minionot_affectedvulnerable_code_not_present
The netstat applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and …
CVE-2025-46394minionot_affectedvulnerable_code_not_present
The tar applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2025-60876minionot_affectedvulnerable_code_not_present
The wget applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2019-1010022sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug with no real threat. Requires a pre-existing stack buffer overflow to exploit, making the bypass academic. No fix will be issued. References: …
CVE-2019-1010023sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — "not a security bug." Requires an attacker to send two ELF files and convince the victim to run ldd on them. The ldd utility is not used at runtime in this container. …
CVE-2019-1010024sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — "ASLR bypass itself is not a vulnerability." Requires pre-existing code execution. No fix will be issued. References: - …
CVE-2019-1010025sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — "ASLR bypass itself is not a vulnerability." Attacker may guess heap addresses of pthread-created threads. Requires pre-existing code execution. No fix will be issued. …
CVE-2010-4756sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Ancient (2010) denial-of-service via crafted glob patterns. Our application does not expose glob expansion to untrusted input. Disputed by upstream as a configuration/resource-limit issue rather than …
CVE-2025-15281sbomify-appnot_affectedvulnerable_code_not_in_execute_path
The wordexp function is a shell-word-expansion C function. Python/Django does not call wordexp — the vulnerable code path is never exercised. Fixed in glibc 2.43 (not yet in nixpkgs).
CVE-2026-0861sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Exploitation requires attacker control of both size and alignment arguments to memalign. Python/Django does not expose these C allocation functions to user-controlled input. Fixed in glibc 2.43 (not …
CVE-2026-0915sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Python/Django does not call getnetbyaddr with zero network values. The affected C function is not in the application's execution path. Fixed in glibc 2.43 (not yet in nixpkgs).
CVE-2026-4046sbomify-appnot_affectedvulnerable_code_not_present
The vulnerable IBM1390/IBM1399 gconv modules have been stripped from the image via stripFromLayers. Additionally, Python handles character encoding internally via its own codec system, not glibc …
CVE-2026-4437sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Django uses getaddrinfo (forward lookups), not gethostbyaddr (reverse lookups). The affected code path is not exercised. Patch proposed upstream (sourceware bug #34014), not yet in a released glibc.
CVE-2026-4438sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Django uses getaddrinfo (forward lookups), not gethostbyaddr (reverse lookups). The application does not use reverse DNS for security decisions. Patch proposed upstream, not yet in a released glibc.
CVE-2026-2673sbomify-appaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity in our deployment: the sbomify-app sits behind a reverse proxy …
CVE-2023-4039sbomify-appnot_affectedvulnerable_code_not_present
AArch64-only vulnerability — our images are built for x86_64 where the stack protector works correctly. Additionally disputed by the GCC project as a missed hardening bug, not a vulnerability. …
CVE-2024-58251sbomify-appnot_affectedvulnerable_code_not_present
The netstat applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and …
CVE-2025-46394sbomify-appnot_affectedvulnerable_code_not_present
The tar applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2025-60876sbomify-appnot_affectedvulnerable_code_not_present
The wget applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
GHSA-7r86-cg39-jmmjsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-3ppc-4f35-3m26sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-23c5-xmqv-rm74sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-c2c7-rcm5-vvqjsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-3v7f-55p6-f55psbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-25h7-pfq9-p65fsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-rf6f-7fwh-wjghsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-mw96-cpmx-2vgcsbomify-appnot_affectedinline_mitigations_already_exist
Rollup is vite's bundler and its vulnerable bundle.write() code path IS executed during every build. However, the Nix build sandbox constrains the blast radius: builds run in a chroot with the Nix …
GHSA-5c6j-r48x-rmvqsbomify-appaffected
serialize-javascript is used by vite/terser internals during the build — its vulnerable serialization code IS executed, and its output (serialized JS chunks) ends up in the browser bundle. An RCE …
GHSA-qj8w-gfj5-8c6vsbomify-appaffected
serialize-javascript runs during the vite build. CPU exhaustion during the build would prevent deployment of security patches — a DoS against the build pipeline. The Nix sandbox does not mitigate CPU …
GHSA-r5fr-rjxr-66jcsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-xxjr-mmjv-4gpgsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-f23m-r3pf-42rhsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-f886-m6hf-6m8vsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-7h2j-956f-4vf2sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-2g4f-4pwh-qvx6sbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-43fc-jf86-j433sbomify-appnot_affectedvulnerable_code_not_reachable
axios is bundled into the frontend JS (imported in sbomify/apps/core/js/utils.ts), but the vulnerable mergeConfig() function only processes developer-authored config literals during request setup. API …
GHSA-v3rj-xjv7-4jmqsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
GHSA-38c4-r59v-3vqwsbomify-appnot_affectedvulnerable_code_not_in_execute_path
Build-only dependency used during Nix derivation build (bun install + vite build). No npm code executes in the runtime container — only static JS/CSS assets are included in the image.
CVE-2019-1010022sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug. Requires a pre-existing stack buffer overflow to exploit. No fix will be issued. References: - …
CVE-2019-1010023sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010023 (Debian: unimportant)
CVE-2019-1010024sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires local access to /proc/self/maps. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010024 (Debian: unimportant)
CVE-2019-1010025sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No remote exploitation path. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010025 (Debian: unimportant)
CVE-2010-4756sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Keycloak does not use glob() on user-supplied input. Ancient CVE from 2010, no upstream fix planned. References: - https://security-tracker.debian.org/tracker/CVE-2010-4756 (Debian: unimportant)
CVE-2026-2673sbomify-keycloakaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity: Keycloak sits behind a reverse proxy and is not directly …
CVE-2023-4039sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects AArch64 code generation. Our images are built exclusively for x86_64. GCC's AArch64 backend is present but not exercised. …
CVE-2025-15281sbomify-keycloaknot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861sbomify-keycloaknot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915sbomify-keycloaknot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046sbomify-keycloaknot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437sbomify-keycloakaffected
Java's InetAddress.getHostName() performs reverse DNS lookups via getnameinfo()/gethostbyaddr() on glibc-based containers. Keycloak uses this for audit logging and client identification. A crafted DNS …
CVE-2026-4438sbomify-keycloaknot_affectedvulnerable_code_not_in_execute_path
Keycloak (Java) uses Java's InetAddress, not glibc's gethostbyaddr. No upstream fix yet (affects through glibc 2.43).
CVE-2024-58251sbomify-keycloaknot_affectedvulnerable_code_not_present
The netstat applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and …
CVE-2025-46394sbomify-keycloaknot_affectedvulnerable_code_not_present
The tar applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2025-60876sbomify-keycloaknot_affectedvulnerable_code_not_present
The wget applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2019-1010022sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug. Requires a pre-existing stack buffer overflow to exploit. No fix will be issued. References: - …
CVE-2019-1010023sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010023 (Debian: unimportant)
CVE-2019-1010024sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires local access to /proc/self/maps. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010024 (Debian: unimportant)
CVE-2019-1010025sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No remote exploitation path. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010025 (Debian: unimportant)
CVE-2010-4756sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Caddy does not use glob() on user-supplied input. Ancient CVE from 2010, no upstream fix planned. References: - https://security-tracker.debian.org/tracker/CVE-2010-4756 (Debian: unimportant)
CVE-2026-2673sbomify-caddy-devaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity: Caddy dev image is used only in local development and not …
CVE-2023-4039sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects AArch64 code generation. Our images are built exclusively for x86_64. GCC's AArch64 backend is present but not exercised. …
CVE-2025-15281sbomify-caddy-devnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861sbomify-caddy-devnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915sbomify-caddy-devnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046sbomify-caddy-devnot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Caddy is a Go binary that uses Go's pure-Go DNS resolver by default, bypassing glibc's gethostbyaddr. Dev-only image not deployed to production. No upstream fix yet (affects through glibc 2.43).
CVE-2026-4438sbomify-caddy-devnot_affectedvulnerable_code_not_in_execute_path
Caddy (Go binary) uses Go's net package, not glibc's gethostbyaddr. No upstream fix yet (affects through glibc 2.43).
CVE-2019-1010022sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream — treated as a non-security bug. Requires a pre-existing stack buffer overflow to exploit. No fix will be issued. References: - …
CVE-2019-1010023sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010023 (Debian: unimportant)
CVE-2019-1010024sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. Requires local access to /proc/self/maps. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010024 (Debian: unimportant)
CVE-2019-1010025sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
Disputed by glibc upstream. No remote exploitation path. No fix will be issued. References: - https://security-tracker.debian.org/tracker/CVE-2019-1010025 (Debian: unimportant)
CVE-2010-4756sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
minio-init does not use glob() on user-supplied input. Ancient CVE from 2010, no upstream fix planned. References: - https://security-tracker.debian.org/tracker/CVE-2010-4756 (Debian: unimportant)
CVE-2026-2673sbomify-minio-initaffected
Fix available in OpenSSL 3.6.2 (released 2026-03-13). Waiting on upstream nixpkgs to bump openssl from 3.6.1 to 3.6.2. Reduced severity: minio-init is a short-lived init container that creates buckets …
CVE-2023-4039sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
AArch64-only vulnerability — the flawed stack protector logic only affects AArch64 code generation. Our images are built exclusively for x86_64. GCC's AArch64 backend is present but not exercised. …
CVE-2025-15281sbomify-minio-initnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The vulnerable wordexp WRDE_REUSE+WRDE_APPEND code path has been patched.
CVE-2026-0861sbomify-minio-initnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The memalign alignment overflow check has been reinstated.
CVE-2026-0915sbomify-minio-initnot_affectedvulnerable_code_not_present
Fixed in nixpkgs glibc 2.42-51 via 2.42-master.patch (cherry-picked from upstream). The getnetbyaddr DNS backend stack leak has been patched.
CVE-2026-4046sbomify-minio-initnot_affectedvulnerable_code_not_present
The vulnerable IBM1390.so and IBM1399.so gconv modules are stripped from image layers at build time via buildCompliantImage's stripFromLayers parameter. iconv() will return "conversion not supported" …
CVE-2026-4437sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
minio-init is a short-lived init container that creates buckets and exits. It does not perform reverse DNS lookups. No upstream fix yet (affects through glibc 2.43).
CVE-2026-4438sbomify-minio-initnot_affectedvulnerable_code_not_in_execute_path
minio-init is a short-lived init script, not a DNS client. No upstream fix yet (affects through glibc 2.43).
CVE-2024-58251sbomify-minio-initnot_affectedvulnerable_code_not_present
The netstat applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and …
CVE-2025-46394sbomify-minio-initnot_affectedvulnerable_code_not_present
The tar applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
CVE-2025-60876sbomify-minio-initnot_affectedvulnerable_code_not_present
The wget applet is not compiled into this image's BusyBox binary. Images use a minimal BusyBox build (common/pkgs/minimal-busybox) with enableMinimal=true that includes only file operations and shell …
Last updated on • David Laing