FedRAMP Remediation — h2oai/h2o-llmstudio — due 2026-06-22 (cycle 2026-06) — 25 CVEs / 55 remediation rows due

[mohamedasni]

FedRAMP Remediation — h2oai/h2o-llmstudio — due 2026-06-22 (cycle 2026-06) — 25 CVEs / 55 remediation rows due

Repo: h2oai/h2o-llmstudio
Cycle: 2026-06
Scan date: 2026-05-29 (Trivy)
Due date: 2026-06-22
Due this cycle: 25 distinct CVEs across 55 remediation rows (package×version×image combinations)

Caution

Closure gate: the 55 rows below are due by 2026-06-22. Remediate by upgrading each affected package to a fixed version.

CVE	Severity	Sev src	Package	Installed	Fix Version	Due Date	Published	Days Left	Image(s)
CVE-2026-5450	CRITICAL	NVD	glibc	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	glibc-dev	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	glibc-locale-posix	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	ld-linux	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	libcrypt1	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	nss-db	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5450	CRITICAL	NVD	nss-hesiod	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66418	HIGH	Trivy	py3-pip-wheel	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66418	HIGH	Trivy	py3.10-pip	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66418	HIGH	Trivy	py3.10-pip-base	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66471	HIGH	Trivy	py3-pip-wheel	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66471	HIGH	Trivy	py3.10-pip	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-66471	HIGH	Trivy	py3.10-pip-base	26.0.1-r2	26.1.1-r0	2026-06-22	2025-12-05	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-21441	HIGH	Trivy	py3-pip-wheel	26.0.1-r2	26.1.1-r0	2026-06-22	2026-01-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-21441	HIGH	Trivy	py3.10-pip	26.0.1-r2	26.1.1-r0	2026-06-22	2026-01-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-21441	HIGH	Trivy	py3.10-pip-base	26.0.1-r2	26.1.1-r0	2026-06-22	2026-01-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-33811	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-33811	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-33814	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-33814	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39820	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39820	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39823	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39823	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39825	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39825	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39826	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39826	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39836	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-39836	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-42215	HIGH	Trivy	GitPython	3.1.46	3.1.47	2026-06-22	2026-04-25	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-42284	HIGH	Trivy	GitPython	3.1.46	3.1.47	2026-06-22	2026-04-25	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-42499	HIGH	Trivy	stdlib	v1.26.2	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-42499	HIGH	Trivy	stdlib	v1.25.9	1.25.10, 1.26.3	2026-06-22	2026-05-07	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-44243	HIGH	Trivy	GitPython	3.1.46	3.1.48	2026-06-22	2026-05-06	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-44244	HIGH	Trivy	GitPython	3.1.46	3.1.49	2026-06-22	2026-05-06	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-44431	HIGH	Trivy	urllib3	2.6.3	2.7.0	2026-06-22	2026-05-11	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-44432	HIGH	Trivy	urllib3	2.6.3	2.7.0	2026-06-22	2026-05-11	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-44973	HIGH	Trivy	github.com/go-git/go-billy/v5	v5.8.0	5.9.0	2026-06-22	2026-05-14	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-45022	HIGH	Trivy	github.com/go-git/go-git/v5	v5.18.0	5.19.0	2026-06-22	2026-05-11	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	glibc	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	glibc-dev	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	glibc-locale-posix	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	ld-linux	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	libcrypt1	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	nss-db	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-5928	HIGH	NVD	nss-hesiod	2.43-r6	2.43-r7	2026-06-22	2026-04-20	24	h2oai-llmstudio-app:v1.14.12
GHSA-82j2-j2ch-gfr8	HIGH	Trivy	rustls-webpki	0.103.12	0.103.13, 0.104.0-alpha.7	2026-06-22	2026-04-24	24	h2oai-llmstudio-app:v1.14.12
GHSA-mv93-w799-cj2w	HIGH	Trivy	GitPython	3.1.46	3.1.50	2026-06-22	2026-05-08	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-50181	MEDIUM	Trivy	py3-pip-wheel	26.0.1-r2	26.1.1-r0	2026-06-22	2025-06-19	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-50181	MEDIUM	Trivy	py3.10-pip	26.0.1-r2	26.1.1-r0	2026-06-22	2025-06-19	24	h2oai-llmstudio-app:v1.14.12
CVE-2025-50181	MEDIUM	Trivy	py3.10-pip-base	26.0.1-r2	26.1.1-r0	2026-06-22	2025-06-19	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-25645	MEDIUM	Trivy	py3-pip-wheel	26.0.1-r2	26.1.1-r0	2026-06-22	2026-03-25	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-25645	MEDIUM	Trivy	py3.10-pip	26.0.1-r2	26.1.1-r0	2026-06-22	2026-03-25	24	h2oai-llmstudio-app:v1.14.12
CVE-2026-25645	MEDIUM	Trivy	py3.10-pip-base	26.0.1-r2	26.1.1-r0	2026-06-22	2026-03-25	24	h2oai-llmstudio-app:v1.14.12

---

SLA reference: Critical/High due this cycle. Medium (90d) / Low (180d) included when their SLA deadline falls on or before 2026-06-25. Scan date 2026-05-29 (Trivy). Due date = cycle due 2026-06-22.
Severities/dates marked NVD or GHSA were enriched from NVD + GitHub Advisory where Trivy's feed was UNKNOWN or missing.

Generated by vulnguard — FedRAMP cycle 2026-06, scan 2026-05-29 (Trivy 0.68.2 + NVD/GHSA enrichment).

[mohamedasni]

Part of the FedRAMP vulnerability remediation cycle tracked in the umbrella issue: h2oai/cloud-platform#1123 (scan 2026-05-29, due 2026-06-22, SLA cutoff 2026-06-25).

[pascal-pfeiffer]

resolved in https://github.com/h2oai/h2o-llmstudio/releases/tag/v1.14.13