fleet/security/status.md

<!-- DO NOT EDIT. This document is automatically generated by running `make vex-report`. -->
# Vulnerability Report

Following is the vulnerability report of Fleet and its dependencies.

## `fleetdm/fleet` docker image

### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.
- **Products:** `fleet`,`pkg:golang/google.golang.org/grpc`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-24 12:38:53

### [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.
- **Products:** `fleet`,`pkg:apk/alpine/zlib@1.3.1-r2`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-13 12:01:11

### [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet uses Go cryptography packages.
- **Products:** `fleet`,`pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-10-01 10:09:03

### [CVE-2025-69419](https://nvd.nist.gov/vuln/detail/CVE-2025-69419)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet uses Go's crypto and TLS implementation.
- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-01-03 15:15:53

### [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet does not mutate CA pool store between TLS sessions.
- **Products:** `fleet`,`pkg:golang/stdlib`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-13 13:23:41

### [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729)
#### Statement:
- **Author:** @lucasmrod
- **Status:** `fixed`
- **Products:** `fleet@v4.78.*`
- **Timestamp:** 2025-12-10 19:26:25

#### Statement:
- **Author:** @lucasmrod
- **Status:** `affected`
- **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- **Products:** `fleet@v4.77.0`,`fleet@v4.76.0`,`fleet@v4.76.1`,`fleet@v4.75.0`,`fleet@v4.75.1`,`pkg:golang/stdlib@1.25.3`
- **Action statement:** `No action statement provided`
- **Timestamp:** 2025-12-10 19:26:10

### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet does not use OPA in server mode, it uses it as a library.
- **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa@v0.44.0`,`pkg:golang/github.com/open-policy-agent/opa@0.44.0`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-05-05 20:29:07

### [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The token format being validated before the call to ParseUnverified.
- **Products:** `fleet`,`pkg:golang/github.com/golang-jwt/jwt/v4`
- **Justification:** `inline_mitigations_already_exist`
- **Timestamp:** 2025-04-10 15:23:54

### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509)
#### Statement:
- **Author:** @lucasmrod
- **Status:** `fixed`
- **Products:** `pkg:golang/github.com/fleetdm/fleet/v4`,`cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*`
- **Timestamp:** 2025-05-12 16:30:30

#### Statement:
- **Author:** @lucasmrod
- **Status:** `affected`
- **Products:** `cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*`
- **Action statement:** `Disable SAML SSO authentication.`
- **Timestamp:** 2025-05-12 16:13:23

### [CVE-2025-26519](https://nvd.nist.gov/vuln/detail/CVE-2025-26519)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet does not perform any EUC-KR to UTF-8 translation by libc.
- **Products:** `fleet`,`pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-14 16:30:01

### [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
- **Products:** `fleet`,`pkg:golang/stdlib@1.24.2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-23 16:48:42

### [CVE-2025-21614](https://nvd.nist.gov/vuln/detail/CVE-2025-21614)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 15:43:15

### [CVE-2025-21613](https://nvd.nist.gov/vuln/detail/CVE-2025-21613)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 15:42:55

### [CVE-2025-15467](https://nvd.nist.gov/vuln/detail/CVE-2025-15467)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet uses Go's crypto and TLS implementation.
- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-01-03 15:15:53

### [CVE-2024-8260](https://nvd.nist.gov/vuln/detail/CVE-2024-8260)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Fleet doesn't run on Windows, so it's not affected by this vulnerability.
- **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-05-05 20:54:14

### [CVE-2024-12797](https://nvd.nist.gov/vuln/detail/CVE-2024-12797)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet uses Go TLS implementation.
- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 15:15:53

### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- **Products:** `fleet`,`pkg:golang/github.com/goreleaser/nfpm/v2`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 15:28:30

## `fleetdm/fleetctl` docker image

### [GHSA-72hv-8253-57qq](https://nvd.nist.gov/vuln/detail/GHSA-72hv-8253-57qq)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Vulnerability only affects Java/JVM web applications that use Jackson's asynchronous (non-blocking) JSON parser.
- **Products:** `fleetctl`,`pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-13 12:30:33

### [GHSA-479m-364c-43vc](https://nvd.nist.gov/vuln/detail/GHSA-479m-364c-43vc)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not validate any XML signatures.
- **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-23 16:44:57

### [CVE-2026-34875](https://nvd.nist.gov/vuln/detail/CVE-2026-34875)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
- **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-08 12:06:49

### [CVE-2026-34873](https://nvd.nist.gov/vuln/detail/CVE-2026-34873)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
- **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-08 12:06:46

### [CVE-2026-33810](https://nvd.nist.gov/vuln/detail/CVE-2026-33810)
- **Author:** @lucasmrod
- **Status:** `affected`
- **Products:** `fleetctl@v4.84.0`,`pkg:golang/stdlib@1.26.1`
- **Action statement:** `Low probability of exploit: requires the fleetctl admin to (1) trust a private/enterprise CA that uses excluded DNS name constraints, (2) an attacker able to obtain a cert under that CA with a wildcard SAN whose case differs from the excluded constraint, and (3) a MITM or DNS-hijack position between the admin's workstation and the Fleet server. If all conditions are met, the attacker can impersonate the Fleet server over TLS and capture the admin's API token. The Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.`
- **Timestamp:** 2026-04-20 14:07:42

### [CVE-2026-33487](https://nvd.nist.gov/vuln/detail/CVE-2026-33487)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Possible vulnerability in SSO service providers, not in fleetctl command line tool.
- **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-31 09:54:45

### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- **Products:** `fleetctl`,`pkg:golang/google.golang.org/grpc`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-23 19:20:41

### [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280)
- **Author:** @lucasmrod
- **Status:** `affected`
- **Products:** `fleetctl@v4.83.2`,`fleetctl@v4.83.1`,`fleetctl@v4.83.0`,`fleetctl@v4.82.2`,`fleetctl@v4.82.1`,`fleetctl@v4.82.0`,`fleetctl@v4.81.3`,`fleetctl@v4.81.2`,`fleetctl@v4.81.1`,`fleetctl@v4.81.0`,`fleetctl@v4.80.3`,`fleetctl@v4.80.2`,`fleetctl@v4.80.1`,`fleetctl@v4.80.0`,`fleetctl@v4.79.1`,`fleetctl@v4.79.0`,`fleetctl@v4.78.3`,`fleetctl@v4.78.2`,`fleetctl@v4.78.1`,`fleetctl@v4.78.0`,`fleetctl@v4.77.1`,`fleetctl@v4.77.0`,`fleetctl@v4.76.2`,`fleetctl@v4.76.1`,`fleetctl@v4.76.0`,`fleetctl@v4.75.2`,`fleetctl@v4.75.1`,`fleetctl@v4.75.0`,`fleetctl@v4.74.0`,`fleetctl@v4.73.5`,`fleetctl@v4.73.4`,`fleetctl@v4.73.3`,`fleetctl@v4.73.2`,`fleetctl@v4.73.1`,`fleetctl@v4.73.0`,`fleetctl@v4.72.1`,`fleetctl@v4.72.0`,`fleetctl@v4.71.1`,`fleetctl@v4.71.0`,`fleetctl@v4.70.1`,`fleetctl@v4.70.0`,`fleetctl@v4.69.0`,`fleetctl@v4.68.1`,`fleetctl@v4.68.0`,`fleetctl@v4.67.3`,`fleetctl@v4.67.2`,`fleetctl@v4.67.1`,`fleetctl@v4.67.0`,`fleetctl@v4.66.0`,`fleetctl@v4.65.0`,`fleetctl@v4.64.2`,`fleetctl@v4.64.1`,`fleetctl@v4.64.0`,`fleetctl@v4.63.2`,`fleetctl@v4.63.1`,`fleetctl@v4.63.0`,`fleetctl@v4.62.4`,`fleetctl@v4.62.3`,`fleetctl@v4.62.2`,`fleetctl@v4.62.1`,`fleetctl@v4.62.0`,`fleetctl@v4.61.0`,`fleetctl@v4.60.1`,`fleetctl@v4.60.0`,`fleetctl@v4.59.1`,`fleetctl@v4.59.0`,`fleetctl@v4.58.1`,`fleetctl@v4.58.0`,`fleetctl@v4.57.3`,`fleetctl@v4.57.2`,`fleetctl@v4.57.1`,`fleetctl@v4.57.0`,`fleetctl@v4.56.0`,`fleetctl@v4.55.2`,`fleetctl@v4.55.1`,`fleetctl@v4.55.0`,`fleetctl@v4.54.2`,`fleetctl@v4.54.1`,`fleetctl@v4.54.0`,`fleetctl@v4.53.2`,`fleetctl@v4.53.1`,`fleetctl@v4.53.0`,`fleetctl@v4.52.0`,`fleetctl@v4.51.1`,`fleetctl@v4.51.0`,`fleetctl@v4.50.2`,`fleetctl@v4.50.1`,`fleetctl@v4.50.0`,`fleetctl@v4.49.4`,`fleetctl@v4.49.3`,`fleetctl@v4.49.2`,`fleetctl@v4.49.1`,`fleetctl@v4.49.0`,`fleetctl@v4.48.3`,`fleetctl@v4.48.2`,`fleetctl@v4.48.1`,`fleetctl@v4.48.0`,`fleetctl@v4.47.3`,`fleetctl@v4.47.2`,`fleetctl@v4.47.1`,`fleetctl@v4.47.0`,`fleetctl@v4.46.2`,`fleetctl@v4.46.1`,`fleetctl@v4.46.0`,`fleetctl@v4.45.1`,`fleetctl@v4.45.0`,`fleetctl@v4.44.1`,`fleetctl@v4.44.0`,`fleetctl@v4.43.3`,`fleetctl@v4.43.2`,`fleetctl@v4.43.1`,`fleetctl@v4.43.0`,`fleetctl@v4.42.0`,`fleetctl@v4.41.1`,`fleetctl@v4.41.0`,`fleetctl@v4.40.0`,`fleetctl@v4.39.0`,`fleetctl@v4.38.1`,`fleetctl@v4.38.0`,`fleetctl@v4.37.0`,`fleetctl@v4.36.0`,`fleetctl@v4.35.2`,`fleetctl@v4.35.1`,`fleetctl@v4.35.0`,`fleetctl@v4.34.1`,`fleetctl@v4.34.0`,`fleetctl@v4.33.1`,`fleetctl@v4.33.0`,`fleetctl@v4.32.0`,`fleetctl@v4.31.1`,`fleetctl@v4.31.0`,`fleetctl@v4.30.1`,`fleetctl@v4.30.0`,`fleetctl@v4.29.1`,`fleetctl@v4.29.0`,`fleetctl@v4.28.1`,`fleetctl@v4.28.0`,`fleetctl@v4.27.1`,`fleetctl@v4.27.0`,`fleetctl@v4.26.0`,`fleetctl@v4.25.0`,`fleetctl@v4.24.1`,`fleetctl@v4.24.0`,`fleetctl@v4.23.0`,`fleetctl@v4.22.1`,`fleetctl@v4.22.0`,`fleetctl@v4.21.0`,`fleetctl@v4.20.1`,`fleetctl@v4.20.0`,`fleetctl@v4.19.1`,`fleetctl@v4.19.0`,`fleetctl@v4.18.0`,`fleetctl@v4.17.1`,`fleetctl@v4.17.0`,`fleetctl@v4.16.0`,`fleetctl@v4.15.0`,`fleetctl@v4.14.0`,`fleetctl@v4.13.2`,`fleetctl@v4.13.1`,`fleetctl@v4.13.0`,`fleetctl@v4.12.1`,`fleetctl@v4.12.0`,`fleetctl@v4.11.0`,`fleetctl@v4.10.0`,`fleetctl@v4.9.1`,`fleetctl@v4.9.0`,`fleetctl@v4.8.0`,`fleetctl@v4.7.0`,`fleetctl@v4.6.2`,`fleetctl@v4.6.1`,`fleetctl@v4.6.0`,`fleetctl@v4.5.1`,`fleetctl@v4.5.0`,`fleetctl@v4.4.3`,`fleetctl@v4.4.2`,`fleetctl@v4.4.1`,`fleetctl@v4.4.0`,`fleetctl@v4.3.2`,`fleetctl@v4.3.1`,`fleetctl@v4.3.0`,`fleetctl@v4.2.4`,`fleetctl@v4.2.3`,`fleetctl@v4.2.2`,`fleetctl@v4.2.1`,`fleetctl@v4.2.0`,`fleetctl@v4.1.0`,`fleetctl@v4.0.1`,`fleetctl@v4.0.0`,`fleetctl@v3.13.0`,`fleetctl@v3.12.0`,`fleetctl@v3.11.0`,`fleetctl@v3.10.1`,`fleetctl@v3.10.0`,`fleetctl@v3.9.0`,`fleetctl@v3.8.0`,`fleetctl@v3.7.4`,`fleetctl@v3.7.1`,`fleetctl@v3.7.0`,`fleetctl@v3.6.0`,`fleetctl@v3.5.1`,`fleetctl@v3.5.0`,`fleetctl@v3.4.0`,`fleetctl@v3.3.0`,`pkg:golang/stdlib@1.25.7`
- **Action statement:** `Low impact: denial-of-service (high CPU) on the host running fleetctl if it connects to a hostile TLS peer (malicious/compromised Fleet server, or MITM presenting a valid-looking cert) that sends many intermediate certificates. No code execution or data disclosure, and the Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.`
- **Timestamp:** 2026-04-20 14:00:03

### [CVE-2026-27806](https://nvd.nist.gov/vuln/detail/CVE-2026-27806)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Vulnerability in orbit not fleetctl.
- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-20 13:46:50

### [CVE-2026-27465](https://nvd.nist.gov/vuln/detail/CVE-2026-27465)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** This is a vulnerability in Fleet, not fleetctl.
- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-13 12:33:34

### [CVE-2026-26061](https://nvd.nist.gov/vuln/detail/CVE-2026-26061)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Vulnerability in fleet server, not fleetctl.
- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-03-31 09:36:31

### [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- **Products:** `fleetctl`,`pkg:golang/stdlib`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-23 19:12:15

### [CVE-2026-24515](https://nvd.nist.gov/vuln/detail/CVE-2026-24515)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined.
- **Products:** `fleetctl`,`pkg:deb/debian/libexpat1`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-01-03 15:15:53

### [CVE-2026-23517](https://nvd.nist.gov/vuln/detail/CVE-2026-23517)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
- **Justification:** `component_not_present`
- **Timestamp:** 2026-01-30 09:25:41

### [CVE-2026-0968](https://nvd.nist.gov/vuln/detail/CVE-2026-0968)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use libssh. The libssh-4 package is an unused transitive dependency in the container image.
- **Products:** `fleetctl`,`pkg:deb/debian/libssh-4`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-08 12:06:51

### [CVE-2025-69419](https://nvd.nist.gov/vuln/detail/CVE-2025-69419)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleet uses Go's crypto and TLS implementation.
- **Products:** `fleetctl`,`pkg:deb/debian/libssl3`,`pkg:deb/debian/openssl`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-01-03 15:15:53

### [CVE-2025-66516](https://nvd.nist.gov/vuln/detail/CVE-2025-66516)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents.
- **Products:** `fleetctl`,`pkg:maven/org.apache.tika/tika-core`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-10 18:12:45

### [CVE-2025-66293](https://nvd.nist.gov/vuln/detail/CVE-2025-66293)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-10 19:04:58

### [CVE-2025-65018](https://nvd.nist.gov/vuln/detail/CVE-2025-65018)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-10 19:04:42

### [CVE-2025-64720](https://nvd.nist.gov/vuln/detail/CVE-2025-64720)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-10 19:04:07

### [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729)
#### Statement:
- **Author:** @lucasmrod
- **Status:** `fixed`
- **Products:** `fleetctl@v4.78.*`
- **Timestamp:** 2025-12-10 19:26:44

#### Statement:
- **Author:** @lucasmrod
- **Status:** `affected`
- **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- **Products:** `fleetctl@v4.77.0`,`fleetctl@v4.76.0`,`fleetctl@v4.76.1`,`fleetctl@v4.75.0`,`fleetctl@v4.75.1`,`pkg:golang/stdlib@1.25.3`
- **Action statement:** `No action statement provided`
- **Timestamp:** 2025-12-10 19:26:35

### [CVE-2025-49796](https://nvd.nist.gov/vuln/detail/CVE-2025-49796)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:57:38

### [CVE-2025-49795](https://nvd.nist.gov/vuln/detail/CVE-2025-49795)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:57:25

### [CVE-2025-49794](https://nvd.nist.gov/vuln/detail/CVE-2025-49794)
- **Author:** @sgress454
- **Status:** `not_affected`
- **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-13 15:56:50

### [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
- **Products:** `fleetctl`,`pkg:maven/commons-beanutils/commons-beanutils`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-06-02 07:33:44

### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use OPA.
- **Products:** `fleetctl`,`pkg:golang/github.com/open-policy-agent/opa`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-05-06 07:47:31

### [CVE-2025-41249](https://nvd.nist.gov/vuln/detail/CVE-2025-41249)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Vulnerability affects web servers, not fleetctl.
- **Products:** `fleetctl`,`pkg:maven/org.springframework/spring-core`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-09-22 10:27:40

### [CVE-2025-31115](https://nvd.nist.gov/vuln/detail/CVE-2025-31115)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use liblzma5.
- **Products:** `fleetctl`,`pkg:deb/debian/liblzma5`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-09 13:24:20

### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
- **Justification:** `component_not_present`
- **Timestamp:** 2025-09-12 09:25:41

### [CVE-2025-15467](https://nvd.nist.gov/vuln/detail/CVE-2025-15467)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl uses Go's crypto and TLS implementation.
- **Products:** `fleetctl`,`pkg:deb/debian/openssl`,`pkg:deb/debian/libssl3`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-01-03 15:15:53

### [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use Java.
- **Products:** `fleetctl`,`pkg:maven/com.google.protobuf/protobuf-java`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 07:34:26

### [CVE-2023-6879](https://nvd.nist.gov/vuln/detail/CVE-2023-6879)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use libaom3.
- **Products:** `fleetctl`,`pkg:deb/debian/libaom3`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-15 10:28:21

### [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use zlib C library.
- **Products:** `fleetctl`,`pkg:deb/debian/zlib1g`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-15 10:17:19

### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698)
- **Author:** @getvictor
- **Status:** `not_affected`
- **Status notes:** When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
- **Products:** `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-04-09 10:26:02

### [CVE-2019-10202](https://nvd.nist.gov/vuln/detail/CVE-2019-10202)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use Java.
- **Products:** `fleetctl`,`pkg:maven/org.codehaus.jackson/jackson-mapper-asl`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-15 10:31:31

### [CVE-2013-4002](https://nvd.nist.gov/vuln/detail/CVE-2013-4002)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use Java.
- **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 07:36:31

### [CVE-2012-0881](https://nvd.nist.gov/vuln/detail/CVE-2012-0881)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not use Java.
- **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-04-10 14:46:52

## `fleetdm/wix` docker image

### [CVE-2026-5201](https://nvd.nist.gov/vuln/detail/CVE-2026-5201)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do JPEG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libgdk-pixbuf-2.0-0`,`pkg:deb/debian/libgdk-pixbuf2.0-common`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-20 11:41:33

### [CVE-2026-4775](https://nvd.nist.gov/vuln/detail/CVE-2026-4775)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do TIFF processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libtiff6`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-20 11:42:37

### [CVE-2026-33636](https://nvd.nist.gov/vuln/detail/CVE-2026-33636)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libpng16-16t64`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-08 11:43:22

### [CVE-2026-33416](https://nvd.nist.gov/vuln/detail/CVE-2026-33416)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libpng16-16t64`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-08 11:01:10

### [CVE-2026-2921](https://nvd.nist.gov/vuln/detail/CVE-2026-2921)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not process media files when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libgstreamer-plugins-base1.0-0`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-24 12:23:52

### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/wix does not connect to TLS servers using OpenSSL.
- **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-20 11:44:34

### [CVE-2026-0861](https://nvd.nist.gov/vuln/detail/CVE-2026-0861)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** No attacker-controlled allocation arguments. The fleetdm/wix container runs WiX toolset commands (heat.exe, candle.exe, light.exe) via Wine to compile .wxs files into an MSI. The only input is a volume-mounted temp directory containing Fleet-generated files (main.wxs, heat.wxs, the orbit root directory). None of this feeds attacker-controlled size/alignment values to memalign.
- **Products:** `wix`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-24 12:18:16

### [CVE-2025-66293](https://nvd.nist.gov/vuln/detail/CVE-2025-66293)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-19 18:03:45

### [CVE-2025-65018](https://nvd.nist.gov/vuln/detail/CVE-2025-65018)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-19 18:03:33

### [CVE-2025-64720](https://nvd.nist.gov/vuln/detail/CVE-2025-64720)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2025-12-19 18:02:56

### [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** The WiX toolset is unaffected by the perl vulnerability.
- **Products:** `wix`,`pkg:deb/debian/perl-base`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2025-10-01 08:36:42

## `fleetdm/bomutils` docker image

### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** fleetdm/bomutils does not connect to TLS servers using OpenSSL.
- **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
- **Justification:** `vulnerable_code_not_in_execute_path`
- **Timestamp:** 2026-04-20 11:48:55

### [CVE-2026-0861](https://nvd.nist.gov/vuln/detail/CVE-2026-0861)
- **Author:** @lucasmrod
- **Status:** `not_affected`
- **Status notes:** Use of mkbom and xar from fleetdm/bomutils have admin controlled inputs.
- **Products:** `bomutils`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
- **Timestamp:** 2026-03-24 08:41:27