## Summary

| Package | Version | Go | Vulns | Status |
|---------|---------|-----|-------|--------|
| containerd-1.7 | 1.7.30 | 1.24 | 5 | affected |

## Vulnerabilities Found

1. GO-2026-4603 — html/template: URLs in meta content attribute actions are not escaped. Found in html/template@go1.24.12, fixed in go1.25.8.
   - Reached via CRI streaming server → template.Template.Execute

2. GO-2026-4602 — os: FileInfo can escape from a Root. Found in os@go1.24.12, fixed in go1.25.8.
   - Reached via native snapshotter, content store, and linux runtime

3. GO-2026-4601 — net/url: Incorrect parsing of IPv6 host literals. Found in net/url@go1.24.12, fixed in go1.25.8.
   - Reached via CRI config validation, ctr debug transport, and Docker auth token fetching

4. GO-2026-4394 — go.opentelemetry.io/otel/sdk: Arbitrary code execution via PATH hijacking. Found in v1.21.0, fixed in v1.40.0.
   - Reached via tracing plugin initialization and span processing — many call paths affected

5. GO-2026-4337 — crypto/tls: Unexpected session resumption. Found in crypto/tls@go1.24.12, fixed in go1.24.13.
   - Reached via gRPC server TLS handshake, HTTP debug server, and image pull transport

Vulns #1, #2, #3, and #5 are Go standard library issues — they require a Go toolchain update (go1.24.13 for #5, go1.25.8 for the others). Vuln #4 is a third-party dependency (otel/sdk) that's significantly behind its fix version.