SunGather Container Exposed: 3 High-Severity Vulnerabilities Found in Latest Image

The latest container image for the SunGather project, hosted publicly on GitHub Container Registry, contains multiple unpatched security flaws. A recent automated Trivy scan flagged 12 vulnerabilities, including three high-severity issues in core system libraries. The most critical finding is that two of these high-risk vulnerabilities currently have no available fix, leaving the container inherently exposed.

The scan of the `ghcr.io/anthony-spruyt/sungather:latest` image identified the high-severity flaws in `libncursesw6` (CVE-2025-69720), `libssl3t64` (CVE-2026-28390), and `libsystemd0` (CVE-2026-29111). The vulnerabilities in libncurses and libsystemd are listed as 'unfixed,' meaning no patched version is currently available in the upstream Debian repository. The libssl vulnerability has a fix available but has not been applied to this container build. An additional nine medium-severity vulnerabilities were also detected, compounding the security risk.

This public exposure places any system or service deploying this container image at immediate risk. The presence of unfixed high-severity flaws in foundational libraries like libsystemd and libssl creates a significant attack surface for potential privilege escalation, denial-of-service, or remote code execution. The scan results, automatically posted to the project's GitHub repository, signal a critical gap in the project's security maintenance and container hygiene, raising urgent questions about its deployment readiness and the oversight of its public artifact pipeline.