Security Deep Dive
traefik-kop
Security posture and CVE patch evidence from tracked releases.
2 critical dependency CVEs affects v0.20.1.
Audit transitive dependencies; consider upgrading or pinning replacements.
Trust Signals — 2 of 9 Present
Evidence already collected from releases and repository metadata.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
23d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.00 / 2.5
⚠ No direct scan — 2c/17h transitive CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
-1.50 / 10.0
Risk 42.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
Release responsiveness
release responsiveness
10.0
5%
Dependency exposure
dependency exposure
5.8
10%
Provenance trust
provenance trust
5.0
40%
Maintainer health
maintainer health
10.0
10%
Operational risk
operational risk
8.5
10%
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 42.0/100OpenSSF Badge
Badge indicates adherence to open-source best practices.
Dependency Vulnerabilities
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
2
High
17
Medium
20
Low
0
Unknown
4
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2025-66630 | critical | — | github.com/gofiber/fiber/v2 | 2.52.9 | v0.20.0 |
| CVE-2026-33186 | critical | — | google.golang.org/grpc | 1.76.0 | v0.20.0 |
| CVE-2025-15558 | high | — | github.com/docker/cli | 29.0.0+incompatible | v0.20.0 |
| CVE-2026-24051 | high | — | go.opentelemetry.io/otel/sdk | 1.38.0 | v0.20.0 |
| CVE-2026-25949 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-26999 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-29054 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-29181 | high | — | go.opentelemetry.io/otel | 1.38.0 | v0.20.0 |
| CVE-2026-32305 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-34040 | high | — | github.com/docker/docker | 28.5.2+incompatible | v0.20.0 |
| CVE-2026-34986 | high | — | github.com/go-jose/go-jose/v4 | 4.1.3 | v0.20.0 |
| CVE-2026-35051 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-39858 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-39883 | high | — | go.opentelemetry.io/otel/sdk | 1.38.0 | v0.20.0 |
| CVE-2026-40611 | high | — | github.com/go-acme/lego/v4 | 4.28.0 | v0.20.0 |
| CVE-2026-40912 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| GHSA-46wh-3698-f2cx | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| GHSA-4hjq-9h5c-252j | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| GHSA-gv8r-9rw9-9697 | high | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2025-47914 | medium | — | golang.org/x/crypto | 0.43.0 | v0.20.0 |
| CVE-2025-58181 | medium | — | golang.org/x/crypto | 0.43.0 | v0.20.0 |
| CVE-2025-64702 | medium | — | github.com/quic-go/quic-go | 0.55.0 | v0.20.0 |
| CVE-2025-66490 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2025-66491 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-22045 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-25882 | medium | — | github.com/gofiber/fiber/v2 | 2.52.9 | v0.20.0 |
| CVE-2026-26998 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-29777 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-32595 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-32695 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-33433 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-33997 | medium | — | github.com/docker/docker | 28.5.2+incompatible | v0.20.0 |
| CVE-2026-39882 | medium | — | go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp | 0.14.0 | v0.20.0 |
| CVE-2026-39882 | medium | — | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp | 1.38.0 | v0.20.0 |
| CVE-2026-39882 | medium | — | go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp | 1.38.0 | v0.20.0 |
| CVE-2026-41174 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-41181 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-41263 | medium | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| CVE-2026-42554 | medium | — | github.com/gofiber/fiber/v2 | 2.52.9 | v0.20.0 |
| CVE-2026-33814 | unknown | — | golang.org/x/net | 0.46.0 | v0.20.0 |
| GO-2026-4530 | unknown | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| GO-2026-4684 | unknown | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
| GO-2026-4897 | unknown | — | github.com/traefik/traefik/v3 | 3.6.1 | v0.20.0 |
Showing 43 of 43