Over the years, multiple studies have shown that critical flaws persist in container images: from unpatched software, insecure configurations, and other lapses.

Insecure and outdated container images have been a recurring problem identified by multiple cybersecurity researchers over several years.

Earlier large-scale work by Prevasio in 2020 had found that 51% of 4m public Docker Hub images had critical vulnerabilities. In that same year, Aqua Security had separately tracked malicious and risky images on Docker Hub, including crypto mining-related campaigns and supply chain abuse involving container images. Academic research had also added weight to the trend: a 2020 study of 2,500 Docker Hub images found official images were generally less vulnerable than certified ones, while severe vulnerabilities were heavily concentrated in common language ecosystems such as JavaScript and Python.

In 2023, Rezilion analysts had found hundreds of Docker containers with hidden vulnerabilities that standard scanners had missed, including high-severity flaws in widely downloaded images.

This year on 9 June 2026, Kaspersky spotlighted how scanned Docker Hub images frequently exposed risks such as embedded credentials, opportunities for privilege escalation, and missing integrity checks during software downloads. This means a fully patched image can still be dangerous if it is poorly built or deployed.

Docker, for its part, has spent several years building out remediation and vulnerability-management measures. In 2020, Docker had partnered with Snyk to bring native vulnerability scanning to Docker tooling, then expanded that relationship so Docker Official Images and Certified images received more advanced analysis. More recently, Docker has been pushing Docker Scout as a software supply chain security service that analyzes images, tracks vulnerabilities, and helps developers identify remediation paths before code reaches production.

Docker has also continued issuing security fixes for flaws in its own products. In 2026, for example, Docker addressed CVE-2026-34040, an authorization-bypass issue in Docker Engine that was fixed in version 29.3.1.

The practical lesson for enterprises is that the containerization still comes with risk: teams need to scan images continuously, verify provenance, pin dependencies, and rebuild containers regularly rather than assuming popular images are safe by default.