Security Alert: 5 HIGH Vulnerabilities Found in 'news-feed' Container, Including Critical libpng Flaws

A Trivy security scan has flagged five HIGH-severity vulnerabilities within a critical software component, exposing a potential attack surface for denial-of-service, arbitrary code execution, and information disclosure. The scan, conducted on April 2, 2026, targeted the `7002370412/news-feed:latest` container image, which is built on Alpine Linux 3.23.3. The findings reveal a concentrated cluster of unpatched flaws in core libraries, with no CRITICAL, MEDIUM, or LOW issues reported, focusing the risk squarely on these five high-priority entries.

The vulnerabilities are rooted in outdated versions of two fundamental packages: `gnutls` and `libpng`. The single `gnutls` vulnerability (CVE-2026-1584) could allow a remote attacker to trigger a denial of service via a crafted ClientHello message. More critically, four separate HIGH-severity CVEs affect the `libpng` graphics library. These include a heap buffer overflow (CVE-2026-25646), a use-after-free flaw enabling arbitrary code execution (CVE-2026-33416), and an information disclosure/denial-of-service vulnerability (CVE-2026-33636), all stemming from version 1.6.54-r0.

This security report signals immediate pressure on the maintainers of the `news-feed` service to apply available patches. The fixed versions are explicitly listed (gnutls 3.8.12-r0 and libpng 1.6.55/1.6.56-r0), providing a clear remediation path. The presence of multiple code execution and memory corruption flaws in a library as ubiquitous as libpng, within what appears to be a content-serving application, raises the risk of exploitation if the container remains in a production environment without an update. The scan serves as a direct warning that the system's current state does not meet security baselines.