False positive for CVE-2026-32767: libexpat on nginxproxy/nginx-proxy:1.10.1-alpine image

[coreh]

IDs

CVE-2026-32767

Description

CVE-2026-32767 is mistakenly being reported as being a libexpat vulnerability where it's actually a SiYuan vulnerability

Reproduction Steps

trivy image --severity CRITICAL nginxproxy/nginx-proxy:1.10.1-alpine

Target

Container Image

Scanner

Vulnerability

Target OS

alpine 3.23.3

Debug Output

coreh@Marcos-MacBook-Pro ~> trivy image --severity CRITICAL nginxproxy/nginx-proxy:1.10.1-alpine --debug
2026-03-26T20:03:46-03:00       DEBUG   No plugins loaded
2026-03-26T20:03:46-03:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-03-26T20:03:46-03:00       DEBUG   Cache dir       dir="/Users/coreh/Library/Caches/trivy"
2026-03-26T20:03:46-03:00       DEBUG   Cache dir       dir="/Users/coreh/Library/Caches/trivy"
2026-03-26T20:03:46-03:00       DEBUG   Parsed severities       severities=[CRITICAL]
2026-03-26T20:03:46-03:00       DEBUG   Ignore statuses statuses=[]
2026-03-26T20:03:46-03:00       DEBUG   DB update was skipped because the local DB was downloaded during the last hour
2026-03-26T20:03:46-03:00       DEBUG   DB info schema=2 updated_at=2026-03-19T12:35:06.232779536Z next_update=2026-03-20T12:35:06.232779285Z downloaded_at=2026-03-26T22:50:54.071276Z
2026-03-26T20:03:46-03:00       DEBUG   [pkg] Package types     types=[os library]
2026-03-26T20:03:46-03:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2026-03-26T20:03:46-03:00       INFO    [vuln] Vulnerability scanning is enabled
2026-03-26T20:03:46-03:00       INFO    [secret] Secret scanning is enabled
2026-03-26T20:03:46-03:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-03-26T20:03:46-03:00       INFO    [secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-03-26T20:03:46-03:00       DEBUG   [notification] Running version check
2026-03-26T20:03:46-03:00       DEBUG   Initializing scan cache...      type="fs"
2026-03-26T20:03:46-03:00       DEBUG   [notification] Version check completed  latest_version="0.69.3"
2026-03-26T20:03:47-03:00       DEBUG   [image] Image found     image="nginxproxy/nginx-proxy:1.10.1-alpine" source="remote"
2026-03-26T20:03:47-03:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2026-03-26T20:03:47-03:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2026-03-26T20:03:47-03:00       DEBUG   Created process-specific temp directory path="/var/folders/3g/mcvwq62x7097fvz6kgp1665h0000gn/T/trivy-41045"
2026-03-26T20:03:48-03:00       DEBUG   [image] Detected image ID       image_id="sha256:3c4992a121496a333329dc95ac1bed10ac98f82bee0911f7fbed88f14060d390"
2026-03-26T20:03:48-03:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:989e799e634906e94dc9a5ee2ee26fc92ad260522990f26e707861a5f52bf64e sha256:5bb518009c83d498f71263ffc016f9f447251adbd2529289ead569af6f8e70e6 sha256:ea6528e5378341e48a761c0bac1ad6c3974d87fb870aaba005c4cd50817dbdff sha256:09c3b60a3926ba8b1f23fddac881831a17ed7e803aee91e59c86f25f131e87c5 sha256:e0fe744d26d4e1c18fc24961038c30992ebc3399f9b3d7f136fad15d6db08db4 sha256:04297a721e7f464d1c7e35294c019010fd7fd20ec1b3891ee207e7dd39c4fcff sha256:5693fac86db4876970e0bbdd63d9b50ed650051457225e9377d8b72a35aba7bd sha256:d408059e7553020f3caf3f88b3d1f012c7a0528299b077a5b8ee2ea70e29f109 sha256:f27c3d747b10214ad675a8ceb0b67b805d63060c9a73442eadbb6cd633b12c8a sha256:8cd4c1f1628bea3828fe5f1a17463844a290535fdb7c0c4c2b6ac77a46d1c126 sha256:006157412c7b2fab7387e3482d3df857b7909860267608e3c6f8ac6a1565eb99 sha256:f70777f347cc185044db80c5bdc1b2326781b8d98010a3acfe869ed224e8423b sha256:c1bf71934167a7ca9abb6da06ff8d9d92f1d23cc26a348d1370b7bf402c5e870 sha256:e33e93a9c3d3dc84bc271d0008e920117f9ec4a673e515f4c0f9462dd3b71572 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2026-03-26T20:03:48-03:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:989e799e634906e94dc9a5ee2ee26fc92ad260522990f26e707861a5f52bf64e sha256:5bb518009c83d498f71263ffc016f9f447251adbd2529289ead569af6f8e70e6 sha256:ea6528e5378341e48a761c0bac1ad6c3974d87fb870aaba005c4cd50817dbdff sha256:09c3b60a3926ba8b1f23fddac881831a17ed7e803aee91e59c86f25f131e87c5 sha256:e0fe744d26d4e1c18fc24961038c30992ebc3399f9b3d7f136fad15d6db08db4 sha256:04297a721e7f464d1c7e35294c019010fd7fd20ec1b3891ee207e7dd39c4fcff sha256:5693fac86db4876970e0bbdd63d9b50ed650051457225e9377d8b72a35aba7bd]
2026-03-26T20:03:48-03:00       INFO    Detected OS     family="alpine" version="3.23.3"
2026-03-26T20:03:48-03:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.23" repository="3.23" pkg_num=76
2026-03-26T20:03:48-03:00       INFO    Number of language-specific files       num=2
2026-03-26T20:03:48-03:00       INFO    [gobinary] Detecting vulnerabilities...
2026-03-26T20:03:48-03:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/docker-gen"
2026-03-26T20:03:48-03:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/nginx-proxy/docker-gen"
2026-03-26T20:03:48-03:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/forego"
2026-03-26T20:03:48-03:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/nginx-proxy/forego"
2026-03-26T20:03:48-03:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.
2026-03-26T20:03:48-03:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2026-03-26T20:03:48-03:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                        Target                        │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ nginxproxy/nginx-proxy:1.10.1-alpine (alpine 3.23.3) │  alpine  │        1        │    -    │
├──────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-gen                             │ gobinary │        0        │    -    │
├──────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/forego                                 │ gobinary │        0        │    -    │
└──────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


nginxproxy/nginx-proxy:1.10.1-alpine (alpine 3.23.3)

Total: 1 (CRITICAL: 1)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2026-32767 │ CRITICAL │ fixed  │ 2.7.4-r0          │ 2.7.5-r0      │ SiYuan: Authorization Bypass Allows Arbitrary SQL Execution │
│          │                │          │        │                   │               │ via Search API                                              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32767                  │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2026-03-26T20:03:48-03:00       DEBUG   Cleaning up temp directory      path="/var/folders/3g/mcvwq62x7097fvz6kgp1665h0000gn/T/trivy-41045"

### Version

```bash
Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-19 12:35:06.232779536 +0000 UTC
  NextUpdate: 2026-03-20 12:35:06.232779285 +0000 UTC
  DownloadedAt: 2026-03-26 22:50:54.071276 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-03-26 21:51:21.581206 +0000 UTC
Check Bundle:
  Digest: sha256:1583562f8b90ed2a071b99f0e5ffff6b57e4ceb6ca3e4796577b4e6a339eb74c
  DownloadedAt: 2026-03-26 21:47:21.865599 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

Evidence

• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-32767 — describes a SiYuan application-level SQL injection (CWE-89, CWE-863)
• Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2026-32767 — marked as NOT-FOR-US: SiYuan
• GitLab Advisory: https://advisories.gitlab.com/pkg/golang/github.com/siyuan-note/siyuan/kernel/CVE-2026-32767/ — correctly scoped to github.com/siyuan-note/siyuan

[DmitriyLewen]

Duplicate of #10412