Security Status
This page shows the current results of automated container-image vulnerability scans (Trivy) across the latest versions of the msg.ZenTestAI services.
Scans run automatically every day. Each service section below lists the Critical and High severity findings for:
- latest — the latest release (main branch)
- Previous releases — the latest patch of each of the two preceding minor releases
Only Critical and High severity CVEs are tracked on this page. Medium and Low severity findings are monitored internally and addressed during regular maintenance.
Individual findings that have been reviewed and accepted as not exploitable are documented per service. Fixes are shipped with the next regular release.
note
The timestamp in each section shows when the respective scan last ran. If the timestamp is older than 48 hours, please contact support.
Overview
| Module | Critical | High | Scanned (UTC) |
|---|---|---|---|
| Frontend | 0 | 8 | 2026-05-27T05:32:54Z |
| Backend | 0 | 0 | 2026-05-27T05:30:26Z |
| Runner | 2 | 4 | 2026-05-27T05:28:09Z |
Frontend
Severity filter: CRITICAL, HIGH (MEDIUM/LOW not tracked)
Latest versions
| Target | Critical | High | Scanned (UTC) |
|---|---|---|---|
| latest | 0 | 8 | 2026-05-27T05:32:54Z |
| 1.15.16 | 0 | 8 | 2026-05-27T05:33:14Z |
| 1.14.18 | 0 | 8 | 2026-05-27T05:32:30Z |
Open findings
latest
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-27135 | HIGH | nghttp2-libs | 1.65.0-r0 | 1.68.1 | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination |
| CVE-2026-6321 | HIGH | fast-uri | 3.1.0 | 3.1.1 | fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies |
| CVE-2026-6322 | HIGH | fast-uri | 3.1.0 | 3.1.2 | fast-uri normalize() decoded percent-encoded authority delimiters insi ... |
| CVE-2026-33811 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ... |
| CVE-2026-33814 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will enter an infini ... |
| CVE-2026-39820 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... |
| CVE-2026-39836 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Panic in Dial and LookupPort when handling NUL byte on Windows in net |
| CVE-2026-42499 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase when parsing ... |
1.15.16
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-27135 | HIGH | nghttp2-libs | 1.65.0-r0 | 1.68.1 | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination |
| CVE-2026-6321 | HIGH | fast-uri | 3.1.0 | 3.1.1 | fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies |
| CVE-2026-6322 | HIGH | fast-uri | 3.1.0 | 3.1.2 | fast-uri normalize() decoded percent-encoded authority delimiters insi ... |
| CVE-2026-33811 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ... |
| CVE-2026-33814 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will enter an infini ... |
| CVE-2026-39820 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... |
| CVE-2026-39836 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Panic in Dial and LookupPort when handling NUL byte on Windows in net |
| CVE-2026-42499 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase when parsing ... |
1.14.18
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-27135 | HIGH | nghttp2-libs | 1.65.0-r0 | 1.68.1 | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination |
| CVE-2026-6321 | HIGH | fast-uri | 3.1.0 | 3.1.1 | fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies |
| CVE-2026-6322 | HIGH | fast-uri | 3.1.0 | 3.1.2 | fast-uri normalize() decoded percent-encoded authority delimiters insi ... |
| CVE-2026-33811 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME re ... |
| CVE-2026-33814 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will enter an infini ... |
| CVE-2026-39820 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse ... |
| CVE-2026-39836 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Panic in Dial and LookupPort when handling NUL byte on Windows in net |
| CVE-2026-42499 | HIGH | stdlib | v1.25.9 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase when parsing ... |
Backend
Severity filter: CRITICAL, HIGH (MEDIUM/LOW not tracked)
Latest versions
| Target | Critical | High | Scanned (UTC) |
|---|---|---|---|
| latest | 0 | 0 | 2026-05-27T05:30:26Z |
| 1.15.17 | 0 | 0 | 2026-05-27T05:30:05Z |
| 1.14.19 | 0 | 1 | 2026-05-27T05:30:04Z |
Open findings
1.14.19
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-27135 | HIGH | nghttp2-libs | 1.65.0-r0 | 1.68.1 | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination |
Runner
Severity filter: CRITICAL, HIGH (MEDIUM/LOW not tracked)
Latest versions
| Target | Critical | High | Scanned (UTC) |
|---|---|---|---|
| latest | 2 | 4 | 2026-05-27T05:28:09Z |
| 1.15.20 | 2 | 4 | 2026-05-27T05:27:59Z |
| 1.14.27 | 4 | 10 | 2026-05-27T05:26:28Z |
Open findings
latest
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-3593 | CRITICAL | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
| CVE-2026-3593 | CRITICAL | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
1.15.20
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-3593 | CRITICAL | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
| CVE-2026-3593 | CRITICAL | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
1.14.27
| CVE | Severity | Package | Installed | Fixed | Title |
|---|---|---|---|---|---|
| CVE-2026-3593 | CRITICAL | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-libs | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
| CVE-2026-3593 | CRITICAL | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation |
| CVE-2026-3039 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: BIND 9 server memory exhaustion during GSS-API TKEY negotiation |
| CVE-2026-5946 | HIGH | bind-tools | 9.20.22-r0 | 9.20.23-r0 | bind: Invalid handling of CLASS != IN |
| CVE-2026-34980 | HIGH | cups-libs | 2.4.16-r0 | 2.4.18-r0 | cups: OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network |
| CVE-2026-33845 | CRITICAL | gnutls | 3.8.12-r0 | 3.8.13-r0 | gnutls: GnuTLS: Denial of Service via DTLS zero-length fragment |
| CVE-2026-42010 | CRITICAL | gnutls | 3.8.12-r0 | 3.8.13-r0 | gnutls: gnutls: Authentication Bypass via NUL Character in Username |
| CVE-2026-33846 | HIGH | gnutls | 3.8.12-r0 | 3.8.13-r0 | gnutls: GnuTLS: Denial of Service via heap buffer overflow in DTLS handshake fragment reassembly |
| CVE-2026-3833 | HIGH | gnutls | 3.8.12-r0 | 3.8.13-r0 | gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison |
| CVE-2026-42009 | HIGH | gnutls | 3.8.12-r0 | 3.8.13-r0 | gnutls: gnutls: Denial of Service via DTLS packet reordering vulnerability |
| CVE-2026-41254 | HIGH | lcms2 | 2.16-r0 | 2.19-r0 | Little CMS: lcms2: mm2/Little-CMS: Little CMS: Information disclosure or denial of service via integer overflow in CubeSize |
| CVE-2026-27135 | HIGH | nghttp2-libs | 1.65.0-r0 | 1.68.1 | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination |