18 open findings · 21 with upstream fix available
| Package | Version | Severity | CVE | Fix | Description | VEX |
|---|---|---|---|---|---|---|
| opensearch-3 | 3.6.0-r5 | CRITICAL | CVE-2026-47691 | 3.6.0-r7 | — | |
| opensearch-3 | 3.6.0-r5 | CRITICAL | CVE-2026-45674 | 3.6.0-r7 | — | |
| netty-handler | 4.2.13.Final | HIGH | GHSA-x4gw-5cx5-pgmh | 4.2.15.Final | Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes | — |
| netty-handler | 4.2.13.Final | HIGH | GHSA-3qp7-7mw8-wx86 | 4.2.15.Final | Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking | — |
| netty-codec-http3 | 4.2.13.Final | HIGH | GHSA-4grm-h2qv-h6w6 | 4.2.15.Final | Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion | — |
| netty-codec-http3 | 4.2.13.Final | HIGH | GHSA-c2rx-5r8w-8xr2 | 4.2.15.Final | Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size | — |
| opensearch-3 | 3.6.0-r5 | HIGH | CVE-2026-44892 | 3.6.0-r7 | — | |
| netty-codec-classes-quic | 4.2.13.Final | HIGH | GHSA-cmm3-54f8-px4j | 4.2.15.Final | Netty's Default QUIC token handler accepts any client-supplied token | — |
| opensearch-3 | 3.6.0-r5 | HIGH | CVE-2026-44894 | 3.6.0-r7 | — | |
| netty-handler | 4.2.13.Final | HIGH | GHSA-c653-97m9-rcg9 | 4.2.15.Final | Netty: Wrapping plain trust manager silently disables hostname verification | — |
| netty-codec-http2 | 4.2.13.Final | MEDIUM | GHSA-c2gf-v879-257j | 4.2.15.Final | netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion | — |
| netty-codec-http2 | 4.2.13.Final | MEDIUM | GHSA-5x3r-wrvg-rp6q | 4.2.15.Final | Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced | — |
| opensearch-3 | 3.6.0-r5 | MEDIUM | CVE-2026-45673 | 3.6.0-r7 | — | |
| netty-codec-http2 | 4.2.13.Final | MEDIUM | GHSA-563q-j3cm-6jxm | 4.2.15.Final | Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature | — |
| netty-codec-http | 4.2.13.Final | MEDIUM | GHSA-hvcg-qmg6-jm4c | 4.2.15.Final | Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted | — |
| netty-codec-classes-quic | 4.2.13.Final | MEDIUM | GHSA-cq4q-cv5g-r8q5 | 4.2.15.Final | Netty: QUIC stateless reset token material exposed through header-visible connection IDs | — |
| bc-fips | 2.1.2 | MEDIUM | GHSA-mx76-r943-rf8g | — | Bouncy Castle has a vulnerability in program files gcm128w, gcm512w | — |
| bc-fips | 2.1.2 | MEDIUM | GHSA-mx76-r943-rf8g | — | Bouncy Castle has a vulnerability in program files gcm128w, gcm512w | — |
| opensearch-3 | 3.6.0-r5 | UNKNOWN | GHSA-5pvg-856g-cp85 | 3.6.0-r7 | — | |
| opensearch-3 | 3.6.0-r5 | UNKNOWN | GHSA-676x-f7gg-47vc | 3.6.0-r7 | — | |
| opensearch-3 | 3.6.0-r5 | UNKNOWN | GHSA-c2rx-5r8w-8xr2 | 3.6.0-r7 | — | |
| opensearch-3 | 3.6.0-r5 | UNKNOWN | GHSA-cmm3-54f8-px4j | 3.6.0-r7 | — | |
| opensearch-3 | 3.6.0-r5 | UNKNOWN | GHSA-xmv7-r254-6q78 | 3.6.0-r7 | — |