CBDQ-IO SBus-Router 2.1.0 Image Exposes Multiple High-Severity DNS Vulnerabilities

A critical security scan of the official CBDQ-IO SBus-Router container image has uncovered multiple unpatched vulnerabilities, including two rated HIGH severity, within a core DNS utility package. The automated Trivy scan of the `ghcr.io/cbdq-io/sbus-router:2.1.0` image reveals that the embedded `bind9-dnsutils` package is running an outdated version, leaving the software open to potential exploitation.

The scan details four specific CVEs: CVE-2026-1519 (HIGH), CVE-2026-3104 (HIGH), CVE-2026-3119 (MEDIUM), and CVE-2026-3591 (MEDIUM). All vulnerabilities stem from the same installed package version (`1:9.20.18-1~deb13u1`) and share a common fixed version (`1:9.20.21-1~deb13u1`). This indicates a single, outdated dependency is the source of multiple security flaws in the router's image, which is a critical component for message bus routing in distributed systems.

The presence of these known, fixable vulnerabilities in a published container image raises immediate security concerns for any organization or developer deploying this version. It signals potential oversight in the project's dependency management and release pipeline, exposing downstream users to risks unless they manually patch or upgrade the base image. The findings prompt scrutiny of the project's maintenance practices and highlight the operational security risk of deploying software with unaddressed, high-severity CVEs in fundamental networking libraries.