Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Security: Resolve high and critical vulnerabilities in docker.io/redash/redash@c5c9148f #7683

Copy link
Copy link
Open
Open
Security: Resolve high and critical vulnerabilities in docker.io/redash/redash@c5c9148f#7683
Copy link
@schammah

Description

@schammah
schammah
opened on Apr 3, 2026
Issue body actions

Summary

Wiz security scan of docker.io/redash/redash@c5c9148f detected 112 open vulnerabilities including 11 CRITICAL and 101 HIGH severity findings across Python and JavaScript dependencies.

🔴 Critical Vulnerabilities (11 findings)

CVE / Advisory Package Current Version Fix Version CVSS Notes
CVE-2024-48910 DOMPurify (JS) 2.0.17 2.4.2 9.8
CVE-2025-7783 JS dep (yarn.lock / viz-lib) 2.3.3 / 4.0.0 2.5.4 / 4.0.4 9.4 Multiple lock files
GHSA-vjh7-7g9h-fjfh JS dep (yarn.lock) 6.6.0 6.6.1 9.0
CVE-2025-43859 h11 (Python) 0.14.0 0.16.0 9.1 HTTP request smuggling
CVE-2026-27962 Authlib (Python) 0.15.5 1.6.9 9.1 ⚡ Known exploit
CVE-2023-45133 @babel/traverse (JS) 6.26.0 no fix available 8.8 Arbitrary code execution

🟠 High Vulnerabilities (101 findings — representative sample)

CVE Package Current Version Fix Version CVSS Notes
CVE-2026-21441 urllib3 (Python) 1.26.19 2.6.3 8.9 DoS
CVE-2025-66471 urllib3 (Python) 1.26.19 2.6.3 8.9 DoS
CVE-2025-66418 urllib3 (Python) 1.26.19 2.6.3 8.9 DoS
CVE-2026-28490 Authlib (Python) 0.15.5 1.6.9 8.3 ⚡ Known exploit
CVE-2026-26007 cryptography (Python) 43.0.1 46.0.5 8.2
CVE-2026-28498 Authlib (Python) 0.15.5 1.6.9 8.2 ⚡ Known exploit
CVE-2026-23745 JS dep (yarn.lock) 6.2.1 7.5.3 8.2 ⚡ Known exploit
CVE-2025-47273 setuptools (Python) 75.3.2 78.1.1 7.7
CVE-2024-52798 path-to-regexp (JS) 0.1.10 0.1.13 7.7
CVE-2024-21538 cross-spawn (JS) 6.0.5 / 7.0.3 6.0.6 / 7.0.5 7.7
CVE-2024-34069 Werkzeug (Python) 2.3.8 3.0.3 7.5 ⚡ Known exploit
CVE-2024-37568 Authlib (Python) 0.15.5 1.6.9 7.5 ⚡ Known exploit
CVE-2025-59420 Authlib (Python) 0.15.5 1.6.9 7.5 ⚡ Known exploit
CVE-2025-61920 Authlib (Python) 0.15.5 1.6.9 7.5 ⚡ Known exploit
CVE-2026-32141 JS dep (viz-lib) 3.1.0 3.4.2 7.5 ⚡ Known exploit
CVE-2026-26960 JS dep (yarn.lock) 6.2.1 7.5.11 7.1 ⚡ Known exploit
CVE-2017-15010 tough-cookie (JS) 0.12.1 2.3.3 7.5
CVE-2026-4867 JS dep (yarn.lock) 0.1.10 0.1.13 7.5

⚡ = public exploit available

Key Packages Requiring Upgrades

Package Current Minimum Fix Severity Count
Authlib (Python) 0.15.5 1.6.9 2 CRITICAL + 5 HIGH
urllib3 (Python) 1.26.19 2.6.3 3 HIGH
cryptography (Python) 43.0.1 46.0.5 1 HIGH
Werkzeug (Python) 2.3.8 3.0.3 1 HIGH
setuptools (Python) 75.3.2 78.1.1 1 HIGH
h11 (Python) 0.14.0 0.16.0 1 CRITICAL
DOMPurify (JS) 2.0.17 2.4.2 1 CRITICAL
path-to-regexp (JS) 0.1.10 0.1.13 1 HIGH
cross-spawn (JS) 6.0.5 / 7.0.3 6.0.6 / 7.0.5 1 HIGH
@babel/traverse (JS) 6.26.0 no fix 1 CRITICAL

Scan Details

  • Image: docker.io/redash/redash@sha256:c5c9148f5c389c9373224bde7053b4a1652fd696ee881dce00a064d21ccdcba8
  • Scan source: Wiz
  • Scan date: 2026-04-03
  • Total findings: 112 (11 critical, 101 high)
  • Detection method: Python packages (poetry.lock, site-packages) and JS packages (yarn.lock, viz-lib/yarn.lock)
Reactions are currently unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.