From db3b2d34cbecea79a77644967d4d16aa0e7f823b Mon Sep 17 00:00:00 2001
From: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Date: Mon, 20 Apr 2026 15:35:51 -0300
Subject: [PATCH] Fix parser extra colon (#43796)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extra colon in the "Products:" section auto-generated file:
<img width="228" height="59" alt="Screenshot 2026-04-20 at 3 07 26 PM"
src="https://github.com/user-attachments/assets/687be6ea-71ae-45c7-a1e9-641994ee86ba"
/>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Corrected formatting in product list display by removing redundant
punctuation.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 security/status.md             | 140 ++++++++++++++++-----------------
 tools/vex-parser/vex-parser.go |   2 +-
 2 files changed, 71 insertions(+), 71 deletions(-)

diff --git a/security/status.md b/security/status.md
index 0bd91f2787..017f043943 100644
--- a/security/status.md
+++ b/security/status.md
@@ -9,7 +9,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.
-- **Products:**: `fleet`,`pkg:golang/google.golang.org/grpc`
+- **Products:** `fleet`,`pkg:golang/google.golang.org/grpc`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-24 12:38:53
 
@@ -17,7 +17,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.
-- **Products:**: `fleet`,`pkg:apk/alpine/zlib@1.3.1-r2`
+- **Products:** `fleet`,`pkg:apk/alpine/zlib@1.3.1-r2`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:01:11
 
@@ -25,7 +25,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Fleet uses Go cryptography packages.
-- **Products:**: `fleet`,`pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21`
+- **Products:** `fleet`,`pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-10-01 10:09:03
 
@@ -33,7 +33,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet uses Go's crypto and TLS implementation.
-- **Products:**: `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
+- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53
 
@@ -41,7 +41,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Fleet does not mutate CA pool store between TLS sessions.
-- **Products:**: `fleet`,`pkg:golang/stdlib`
+- **Products:** `fleet`,`pkg:golang/stdlib`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 13:23:41
 
@@ -49,14 +49,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `fixed`
-- **Products:**: `fleet@v4.78.*`
+- **Products:** `fleet@v4.78.*`
 - **Timestamp:** 2025-12-10 19:26:25
 
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `affected`
 - **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
-- **Products:**: `fleet@v4.77.0`,`fleet@v4.76.0`,`fleet@v4.76.1`,`fleet@v4.75.0`,`fleet@v4.75.1`,`pkg:golang/stdlib@1.25.3`
+- **Products:** `fleet@v4.77.0`,`fleet@v4.76.0`,`fleet@v4.76.1`,`fleet@v4.75.0`,`fleet@v4.75.1`,`pkg:golang/stdlib@1.25.3`
 - **Action statement:** `No action statement provided`
 - **Timestamp:** 2025-12-10 19:26:10
 
@@ -64,7 +64,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet does not use OPA in server mode, it uses it as a library.
-- **Products:**: `fleet`,`pkg:golang/github.com/open-policy-agent/opa@v0.44.0`,`pkg:golang/github.com/open-policy-agent/opa@0.44.0`
+- **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa@v0.44.0`,`pkg:golang/github.com/open-policy-agent/opa@0.44.0`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-05-05 20:29:07
 
@@ -72,7 +72,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The token format being validated before the call to ParseUnverified.
-- **Products:**: `fleet`,`pkg:golang/github.com/golang-jwt/jwt/v4`
+- **Products:** `fleet`,`pkg:golang/github.com/golang-jwt/jwt/v4`
 - **Justification:** `inline_mitigations_already_exist`
 - **Timestamp:** 2025-04-10 15:23:54
 
@@ -80,13 +80,13 @@ Following is the vulnerability report of Fleet and its dependencies.
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `fixed`
-- **Products:**: `pkg:golang/github.com/fleetdm/fleet/v4`,`cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*`
+- **Products:** `pkg:golang/github.com/fleetdm/fleet/v4`,`cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*`
 - **Timestamp:** 2025-05-12 16:30:30
 
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `affected`
-- **Products:**: `cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:*`
+- **Products:** `cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:*`
 - **Action statement:** `Disable SAML SSO authentication.`
 - **Timestamp:** 2025-05-12 16:13:23
 
@@ -94,7 +94,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet does not perform any EUC-KR to UTF-8 translation by libc.
-- **Products:**: `fleet`,`pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21`
+- **Products:** `fleet`,`pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-14 16:30:01
 
@@ -102,7 +102,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
-- **Products:**: `fleet`,`pkg:golang/stdlib@1.24.2`
+- **Products:** `fleet`,`pkg:golang/stdlib@1.24.2`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-06-23 16:48:42
 
@@ -110,7 +110,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
-- **Products:**: `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
+- **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 15:43:15
 
@@ -118,7 +118,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
-- **Products:**: `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
+- **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 15:42:55
 
@@ -126,7 +126,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet uses Go's crypto and TLS implementation.
-- **Products:**: `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
+- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53
 
@@ -134,7 +134,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Fleet doesn't run on Windows, so it's not affected by this vulnerability.
-- **Products:**: `fleet`,`pkg:golang/github.com/open-policy-agent/opa`
+- **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-05-05 20:54:14
 
@@ -142,7 +142,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet uses Go TLS implementation.
-- **Products:**: `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
+- **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 15:15:53
 
@@ -150,7 +150,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
-- **Products:**: `fleet`,`pkg:golang/github.com/goreleaser/nfpm/v2`
+- **Products:** `fleet`,`pkg:golang/github.com/goreleaser/nfpm/v2`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 15:28:30
 
@@ -160,7 +160,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Vulnerability only affects Java/JVM web applications that use Jackson's asynchronous (non-blocking) JSON parser.
-- **Products:**: `fleetctl`,`pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0`
+- **Products:** `fleetctl`,`pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:30:33
 
@@ -168,7 +168,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not validate any XML signatures.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
+- **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-23 16:44:57
 
@@ -176,7 +176,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
+- **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-08 12:06:49
 
@@ -184,14 +184,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
+- **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-08 12:06:46
 
 ### [CVE-2026-33810](https://nvd.nist.gov/vuln/detail/CVE-2026-33810)
 - **Author:** @lucasmrod
 - **Status:** `affected`
-- **Products:**: `fleetctl@v4.84.0`,`pkg:golang/stdlib@1.26.1`
+- **Products:** `fleetctl@v4.84.0`,`pkg:golang/stdlib@1.26.1`
 - **Action statement:** `Low probability of exploit: requires the fleetctl admin to (1) trust a private/enterprise CA that uses excluded DNS name constraints, (2) an attacker able to obtain a cert under that CA with a wildcard SAN whose case differs from the excluded constraint, and (3) a MITM or DNS-hijack position between the admin's workstation and the Fleet server. If all conditions are met, the attacker can impersonate the Fleet server over TLS and capture the admin's API token. The Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.`
 - **Timestamp:** 2026-04-20 14:07:42
 
@@ -199,7 +199,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Possible vulnerability in SSO service providers, not in fleetctl command line tool.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
+- **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-31 09:54:45
 
@@ -207,14 +207,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
-- **Products:**: `fleetctl`,`pkg:golang/google.golang.org/grpc`
+- **Products:** `fleetctl`,`pkg:golang/google.golang.org/grpc`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-23 19:20:41
 
 ### [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280)
 - **Author:** @lucasmrod
 - **Status:** `affected`
-- **Products:**: `fleetctl@v4.83.2`,`fleetctl@v4.83.1`,`fleetctl@v4.83.0`,`fleetctl@v4.82.2`,`fleetctl@v4.82.1`,`fleetctl@v4.82.0`,`fleetctl@v4.81.3`,`fleetctl@v4.81.2`,`fleetctl@v4.81.1`,`fleetctl@v4.81.0`,`fleetctl@v4.80.3`,`fleetctl@v4.80.2`,`fleetctl@v4.80.1`,`fleetctl@v4.80.0`,`fleetctl@v4.79.1`,`fleetctl@v4.79.0`,`fleetctl@v4.78.3`,`fleetctl@v4.78.2`,`fleetctl@v4.78.1`,`fleetctl@v4.78.0`,`fleetctl@v4.77.1`,`fleetctl@v4.77.0`,`fleetctl@v4.76.2`,`fleetctl@v4.76.1`,`fleetctl@v4.76.0`,`fleetctl@v4.75.2`,`fleetctl@v4.75.1`,`fleetctl@v4.75.0`,`fleetctl@v4.74.0`,`fleetctl@v4.73.5`,`fleetctl@v4.73.4`,`fleetctl@v4.73.3`,`fleetctl@v4.73.2`,`fleetctl@v4.73.1`,`fleetctl@v4.73.0`,`fleetctl@v4.72.1`,`fleetctl@v4.72.0`,`fleetctl@v4.71.1`,`fleetctl@v4.71.0`,`fleetctl@v4.70.1`,`fleetctl@v4.70.0`,`fleetctl@v4.69.0`,`fleetctl@v4.68.1`,`fleetctl@v4.68.0`,`fleetctl@v4.67.3`,`fleetctl@v4.67.2`,`fleetctl@v4.67.1`,`fleetctl@v4.67.0`,`fleetctl@v4.66.0`,`fleetctl@v4.65.0`,`fleetctl@v4.64.2`,`fleetctl@v4.64.1`,`fleetctl@v4.64.0`,`fleetctl@v4.63.2`,`fleetctl@v4.63.1`,`fleetctl@v4.63.0`,`fleetctl@v4.62.4`,`fleetctl@v4.62.3`,`fleetctl@v4.62.2`,`fleetctl@v4.62.1`,`fleetctl@v4.62.0`,`fleetctl@v4.61.0`,`fleetctl@v4.60.1`,`fleetctl@v4.60.0`,`fleetctl@v4.59.1`,`fleetctl@v4.59.0`,`fleetctl@v4.58.1`,`fleetctl@v4.58.0`,`fleetctl@v4.57.3`,`fleetctl@v4.57.2`,`fleetctl@v4.57.1`,`fleetctl@v4.57.0`,`fleetctl@v4.56.0`,`fleetctl@v4.55.2`,`fleetctl@v4.55.1`,`fleetctl@v4.55.0`,`fleetctl@v4.54.2`,`fleetctl@v4.54.1`,`fleetctl@v4.54.0`,`fleetctl@v4.53.2`,`fleetctl@v4.53.1`,`fleetctl@v4.53.0`,`fleetctl@v4.52.0`,`fleetctl@v4.51.1`,`fleetctl@v4.51.0`,`fleetctl@v4.50.2`,`fleetctl@v4.50.1`,`fleetctl@v4.50.0`,`fleetctl@v4.49.4`,`fleetctl@v4.49.3`,`fleetctl@v4.49.2`,`fleetctl@v4.49.1`,`fleetctl@v4.49.0`,`fleetctl@v4.48.3`,`fleetctl@v4.48.2`,`fleetctl@v4.48.1`,`fleetctl@v4.48.0`,`fleetctl@v4.47.3`,`fleetctl@v4.47.2`,`fleetctl@v4.47.1`,`fleetctl@v4.47.0`,`fleetctl@v4.46.2`,`fleetctl@v4.46.1`,`fleetctl@v4.46.0`,`fleetctl@v4.45.1`,`fleetctl@v4.45.0`,`fleetctl@v4.44.1`,`fleetctl@v4.44.0`,`fleetctl@v4.43.3`,`fleetctl@v4.43.2`,`fleetctl@v4.43.1`,`fleetctl@v4.43.0`,`fleetctl@v4.42.0`,`fleetctl@v4.41.1`,`fleetctl@v4.41.0`,`fleetctl@v4.40.0`,`fleetctl@v4.39.0`,`fleetctl@v4.38.1`,`fleetctl@v4.38.0`,`fleetctl@v4.37.0`,`fleetctl@v4.36.0`,`fleetctl@v4.35.2`,`fleetctl@v4.35.1`,`fleetctl@v4.35.0`,`fleetctl@v4.34.1`,`fleetctl@v4.34.0`,`fleetctl@v4.33.1`,`fleetctl@v4.33.0`,`fleetctl@v4.32.0`,`fleetctl@v4.31.1`,`fleetctl@v4.31.0`,`fleetctl@v4.30.1`,`fleetctl@v4.30.0`,`fleetctl@v4.29.1`,`fleetctl@v4.29.0`,`fleetctl@v4.28.1`,`fleetctl@v4.28.0`,`fleetctl@v4.27.1`,`fleetctl@v4.27.0`,`fleetctl@v4.26.0`,`fleetctl@v4.25.0`,`fleetctl@v4.24.1`,`fleetctl@v4.24.0`,`fleetctl@v4.23.0`,`fleetctl@v4.22.1`,`fleetctl@v4.22.0`,`fleetctl@v4.21.0`,`fleetctl@v4.20.1`,`fleetctl@v4.20.0`,`fleetctl@v4.19.1`,`fleetctl@v4.19.0`,`fleetctl@v4.18.0`,`fleetctl@v4.17.1`,`fleetctl@v4.17.0`,`fleetctl@v4.16.0`,`fleetctl@v4.15.0`,`fleetctl@v4.14.0`,`fleetctl@v4.13.2`,`fleetctl@v4.13.1`,`fleetctl@v4.13.0`,`fleetctl@v4.12.1`,`fleetctl@v4.12.0`,`fleetctl@v4.11.0`,`fleetctl@v4.10.0`,`fleetctl@v4.9.1`,`fleetctl@v4.9.0`,`fleetctl@v4.8.0`,`fleetctl@v4.7.0`,`fleetctl@v4.6.2`,`fleetctl@v4.6.1`,`fleetctl@v4.6.0`,`fleetctl@v4.5.1`,`fleetctl@v4.5.0`,`fleetctl@v4.4.3`,`fleetctl@v4.4.2`,`fleetctl@v4.4.1`,`fleetctl@v4.4.0`,`fleetctl@v4.3.2`,`fleetctl@v4.3.1`,`fleetctl@v4.3.0`,`fleetctl@v4.2.4`,`fleetctl@v4.2.3`,`fleetctl@v4.2.2`,`fleetctl@v4.2.1`,`fleetctl@v4.2.0`,`fleetctl@v4.1.0`,`fleetctl@v4.0.1`,`fleetctl@v4.0.0`,`fleetctl@v3.13.0`,`fleetctl@v3.12.0`,`fleetctl@v3.11.0`,`fleetctl@v3.10.1`,`fleetctl@v3.10.0`,`fleetctl@v3.9.0`,`fleetctl@v3.8.0`,`fleetctl@v3.7.4`,`fleetctl@v3.7.1`,`fleetctl@v3.7.0`,`fleetctl@v3.6.0`,`fleetctl@v3.5.1`,`fleetctl@v3.5.0`,`fleetctl@v3.4.0`,`fleetctl@v3.3.0`,`pkg:golang/stdlib@1.25.7`
+- **Products:** `fleetctl@v4.83.2`,`fleetctl@v4.83.1`,`fleetctl@v4.83.0`,`fleetctl@v4.82.2`,`fleetctl@v4.82.1`,`fleetctl@v4.82.0`,`fleetctl@v4.81.3`,`fleetctl@v4.81.2`,`fleetctl@v4.81.1`,`fleetctl@v4.81.0`,`fleetctl@v4.80.3`,`fleetctl@v4.80.2`,`fleetctl@v4.80.1`,`fleetctl@v4.80.0`,`fleetctl@v4.79.1`,`fleetctl@v4.79.0`,`fleetctl@v4.78.3`,`fleetctl@v4.78.2`,`fleetctl@v4.78.1`,`fleetctl@v4.78.0`,`fleetctl@v4.77.1`,`fleetctl@v4.77.0`,`fleetctl@v4.76.2`,`fleetctl@v4.76.1`,`fleetctl@v4.76.0`,`fleetctl@v4.75.2`,`fleetctl@v4.75.1`,`fleetctl@v4.75.0`,`fleetctl@v4.74.0`,`fleetctl@v4.73.5`,`fleetctl@v4.73.4`,`fleetctl@v4.73.3`,`fleetctl@v4.73.2`,`fleetctl@v4.73.1`,`fleetctl@v4.73.0`,`fleetctl@v4.72.1`,`fleetctl@v4.72.0`,`fleetctl@v4.71.1`,`fleetctl@v4.71.0`,`fleetctl@v4.70.1`,`fleetctl@v4.70.0`,`fleetctl@v4.69.0`,`fleetctl@v4.68.1`,`fleetctl@v4.68.0`,`fleetctl@v4.67.3`,`fleetctl@v4.67.2`,`fleetctl@v4.67.1`,`fleetctl@v4.67.0`,`fleetctl@v4.66.0`,`fleetctl@v4.65.0`,`fleetctl@v4.64.2`,`fleetctl@v4.64.1`,`fleetctl@v4.64.0`,`fleetctl@v4.63.2`,`fleetctl@v4.63.1`,`fleetctl@v4.63.0`,`fleetctl@v4.62.4`,`fleetctl@v4.62.3`,`fleetctl@v4.62.2`,`fleetctl@v4.62.1`,`fleetctl@v4.62.0`,`fleetctl@v4.61.0`,`fleetctl@v4.60.1`,`fleetctl@v4.60.0`,`fleetctl@v4.59.1`,`fleetctl@v4.59.0`,`fleetctl@v4.58.1`,`fleetctl@v4.58.0`,`fleetctl@v4.57.3`,`fleetctl@v4.57.2`,`fleetctl@v4.57.1`,`fleetctl@v4.57.0`,`fleetctl@v4.56.0`,`fleetctl@v4.55.2`,`fleetctl@v4.55.1`,`fleetctl@v4.55.0`,`fleetctl@v4.54.2`,`fleetctl@v4.54.1`,`fleetctl@v4.54.0`,`fleetctl@v4.53.2`,`fleetctl@v4.53.1`,`fleetctl@v4.53.0`,`fleetctl@v4.52.0`,`fleetctl@v4.51.1`,`fleetctl@v4.51.0`,`fleetctl@v4.50.2`,`fleetctl@v4.50.1`,`fleetctl@v4.50.0`,`fleetctl@v4.49.4`,`fleetctl@v4.49.3`,`fleetctl@v4.49.2`,`fleetctl@v4.49.1`,`fleetctl@v4.49.0`,`fleetctl@v4.48.3`,`fleetctl@v4.48.2`,`fleetctl@v4.48.1`,`fleetctl@v4.48.0`,`fleetctl@v4.47.3`,`fleetctl@v4.47.2`,`fleetctl@v4.47.1`,`fleetctl@v4.47.0`,`fleetctl@v4.46.2`,`fleetctl@v4.46.1`,`fleetctl@v4.46.0`,`fleetctl@v4.45.1`,`fleetctl@v4.45.0`,`fleetctl@v4.44.1`,`fleetctl@v4.44.0`,`fleetctl@v4.43.3`,`fleetctl@v4.43.2`,`fleetctl@v4.43.1`,`fleetctl@v4.43.0`,`fleetctl@v4.42.0`,`fleetctl@v4.41.1`,`fleetctl@v4.41.0`,`fleetctl@v4.40.0`,`fleetctl@v4.39.0`,`fleetctl@v4.38.1`,`fleetctl@v4.38.0`,`fleetctl@v4.37.0`,`fleetctl@v4.36.0`,`fleetctl@v4.35.2`,`fleetctl@v4.35.1`,`fleetctl@v4.35.0`,`fleetctl@v4.34.1`,`fleetctl@v4.34.0`,`fleetctl@v4.33.1`,`fleetctl@v4.33.0`,`fleetctl@v4.32.0`,`fleetctl@v4.31.1`,`fleetctl@v4.31.0`,`fleetctl@v4.30.1`,`fleetctl@v4.30.0`,`fleetctl@v4.29.1`,`fleetctl@v4.29.0`,`fleetctl@v4.28.1`,`fleetctl@v4.28.0`,`fleetctl@v4.27.1`,`fleetctl@v4.27.0`,`fleetctl@v4.26.0`,`fleetctl@v4.25.0`,`fleetctl@v4.24.1`,`fleetctl@v4.24.0`,`fleetctl@v4.23.0`,`fleetctl@v4.22.1`,`fleetctl@v4.22.0`,`fleetctl@v4.21.0`,`fleetctl@v4.20.1`,`fleetctl@v4.20.0`,`fleetctl@v4.19.1`,`fleetctl@v4.19.0`,`fleetctl@v4.18.0`,`fleetctl@v4.17.1`,`fleetctl@v4.17.0`,`fleetctl@v4.16.0`,`fleetctl@v4.15.0`,`fleetctl@v4.14.0`,`fleetctl@v4.13.2`,`fleetctl@v4.13.1`,`fleetctl@v4.13.0`,`fleetctl@v4.12.1`,`fleetctl@v4.12.0`,`fleetctl@v4.11.0`,`fleetctl@v4.10.0`,`fleetctl@v4.9.1`,`fleetctl@v4.9.0`,`fleetctl@v4.8.0`,`fleetctl@v4.7.0`,`fleetctl@v4.6.2`,`fleetctl@v4.6.1`,`fleetctl@v4.6.0`,`fleetctl@v4.5.1`,`fleetctl@v4.5.0`,`fleetctl@v4.4.3`,`fleetctl@v4.4.2`,`fleetctl@v4.4.1`,`fleetctl@v4.4.0`,`fleetctl@v4.3.2`,`fleetctl@v4.3.1`,`fleetctl@v4.3.0`,`fleetctl@v4.2.4`,`fleetctl@v4.2.3`,`fleetctl@v4.2.2`,`fleetctl@v4.2.1`,`fleetctl@v4.2.0`,`fleetctl@v4.1.0`,`fleetctl@v4.0.1`,`fleetctl@v4.0.0`,`fleetctl@v3.13.0`,`fleetctl@v3.12.0`,`fleetctl@v3.11.0`,`fleetctl@v3.10.1`,`fleetctl@v3.10.0`,`fleetctl@v3.9.0`,`fleetctl@v3.8.0`,`fleetctl@v3.7.4`,`fleetctl@v3.7.1`,`fleetctl@v3.7.0`,`fleetctl@v3.6.0`,`fleetctl@v3.5.1`,`fleetctl@v3.5.0`,`fleetctl@v3.4.0`,`fleetctl@v3.3.0`,`pkg:golang/stdlib@1.25.7`
 - **Action statement:** `Low impact: denial-of-service (high CPU) on the host running fleetctl if it connects to a hostile TLS peer (malicious/compromised Fleet server, or MITM presenting a valid-looking cert) that sends many intermediate certificates. No code execution or data disclosure, and the Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.`
 - **Timestamp:** 2026-04-20 14:00:03
 
@@ -222,7 +222,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Vulnerability in orbit not fleetctl.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-20 13:46:50
 
@@ -230,7 +230,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** This is a vulnerability in Fleet, not fleetctl.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-13 12:33:34
 
@@ -238,7 +238,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Vulnerability in fleet server, not fleetctl.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-03-31 09:36:31
 
@@ -246,7 +246,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
-- **Products:**: `fleetctl`,`pkg:golang/stdlib`
+- **Products:** `fleetctl`,`pkg:golang/stdlib`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-23 19:12:15
 
@@ -254,7 +254,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libexpat1`
+- **Products:** `fleetctl`,`pkg:deb/debian/libexpat1`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53
 
@@ -262,7 +262,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
 - **Justification:** `component_not_present`
 - **Timestamp:** 2026-01-30 09:25:41
 
@@ -270,7 +270,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use libssh. The libssh-4 package is an unused transitive dependency in the container image.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libssh-4`
+- **Products:** `fleetctl`,`pkg:deb/debian/libssh-4`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-08 12:06:51
 
@@ -278,7 +278,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleet uses Go's crypto and TLS implementation.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libssl3`,`pkg:deb/debian/openssl`
+- **Products:** `fleetctl`,`pkg:deb/debian/libssl3`,`pkg:deb/debian/openssl`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53
 
@@ -286,7 +286,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents.
-- **Products:**: `fleetctl`,`pkg:maven/org.apache.tika/tika-core`
+- **Products:** `fleetctl`,`pkg:maven/org.apache.tika/tika-core`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-10 18:12:45
 
@@ -294,7 +294,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libpng16-16`
+- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-10 19:04:58
 
@@ -302,7 +302,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libpng16-16`
+- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-10 19:04:42
 
@@ -310,7 +310,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libpng16-16`
+- **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-10 19:04:07
 
@@ -318,14 +318,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `fixed`
-- **Products:**: `fleetctl@v4.78.*`
+- **Products:** `fleetctl@v4.78.*`
 - **Timestamp:** 2025-12-10 19:26:44
 
 #### Statement:
 - **Author:** @lucasmrod
 - **Status:** `affected`
 - **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
-- **Products:**: `fleetctl@v4.77.0`,`fleetctl@v4.76.0`,`fleetctl@v4.76.1`,`fleetctl@v4.75.0`,`fleetctl@v4.75.1`,`pkg:golang/stdlib@1.25.3`
+- **Products:** `fleetctl@v4.77.0`,`fleetctl@v4.76.0`,`fleetctl@v4.76.1`,`fleetctl@v4.75.0`,`fleetctl@v4.75.1`,`pkg:golang/stdlib@1.25.3`
 - **Action statement:** `No action statement provided`
 - **Timestamp:** 2025-12-10 19:26:35
 
@@ -333,7 +333,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @sgress454
 - **Status:** `not_affected`
 - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
+- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-06-13 15:57:38
 
@@ -341,7 +341,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @sgress454
 - **Status:** `not_affected`
 - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`
+- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-06-13 15:57:25
 
@@ -349,7 +349,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @sgress454
 - **Status:** `not_affected`
 - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
+- **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-06-13 15:56:50
 
@@ -357,7 +357,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
-- **Products:**: `fleetctl`,`pkg:maven/commons-beanutils/commons-beanutils`
+- **Products:** `fleetctl`,`pkg:maven/commons-beanutils/commons-beanutils`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-06-02 07:33:44
 
@@ -365,7 +365,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use OPA.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/open-policy-agent/opa`
+- **Products:** `fleetctl`,`pkg:golang/github.com/open-policy-agent/opa`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-05-06 07:47:31
 
@@ -373,7 +373,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Vulnerability affects web servers, not fleetctl.
-- **Products:**: `fleetctl`,`pkg:maven/org.springframework/spring-core`
+- **Products:** `fleetctl`,`pkg:maven/org.springframework/spring-core`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-09-22 10:27:40
 
@@ -381,7 +381,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use liblzma5.
-- **Products:**: `fleetctl`,`pkg:deb/debian/liblzma5`
+- **Products:** `fleetctl`,`pkg:deb/debian/liblzma5`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-09 13:24:20
 
@@ -389,7 +389,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
+- **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4`
 - **Justification:** `component_not_present`
 - **Timestamp:** 2025-09-12 09:25:41
 
@@ -397,7 +397,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl uses Go's crypto and TLS implementation.
-- **Products:**: `fleetctl`,`pkg:deb/debian/openssl`,`pkg:deb/debian/libssl3`
+- **Products:** `fleetctl`,`pkg:deb/debian/openssl`,`pkg:deb/debian/libssl3`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-01-03 15:15:53
 
@@ -405,7 +405,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use Java.
-- **Products:**: `fleetctl`,`pkg:maven/com.google.protobuf/protobuf-java`
+- **Products:** `fleetctl`,`pkg:maven/com.google.protobuf/protobuf-java`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 07:34:26
 
@@ -413,7 +413,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use libaom3.
-- **Products:**: `fleetctl`,`pkg:deb/debian/libaom3`
+- **Products:** `fleetctl`,`pkg:deb/debian/libaom3`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-15 10:28:21
 
@@ -421,7 +421,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use zlib C library.
-- **Products:**: `fleetctl`,`pkg:deb/debian/zlib1g`
+- **Products:** `fleetctl`,`pkg:deb/debian/zlib1g`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-15 10:17:19
 
@@ -429,7 +429,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @getvictor
 - **Status:** `not_affected`
 - **Status notes:** When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
-- **Products:**: `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2`
+- **Products:** `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-04-09 10:26:02
 
@@ -437,7 +437,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use Java.
-- **Products:**: `fleetctl`,`pkg:maven/org.codehaus.jackson/jackson-mapper-asl`
+- **Products:** `fleetctl`,`pkg:maven/org.codehaus.jackson/jackson-mapper-asl`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-15 10:31:31
 
@@ -445,7 +445,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use Java.
-- **Products:**: `fleetctl`,`pkg:maven/xerces/xercesImpl`
+- **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 07:36:31
 
@@ -453,7 +453,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not use Java.
-- **Products:**: `fleetctl`,`pkg:maven/xerces/xercesImpl`
+- **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-04-10 14:46:52
 
@@ -463,7 +463,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do JPEG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libgdk-pixbuf-2.0-0`,`pkg:deb/debian/libgdk-pixbuf2.0-common`
+- **Products:** `wix`,`pkg:deb/debian/libgdk-pixbuf-2.0-0`,`pkg:deb/debian/libgdk-pixbuf2.0-common`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-20 11:41:33
 
@@ -471,7 +471,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do TIFF processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libtiff6`
+- **Products:** `wix`,`pkg:deb/debian/libtiff6`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-20 11:42:37
 
@@ -479,7 +479,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libpng16-16t64`
+- **Products:** `wix`,`pkg:deb/debian/libpng16-16t64`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-08 11:43:22
 
@@ -487,7 +487,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libpng16-16t64`
+- **Products:** `wix`,`pkg:deb/debian/libpng16-16t64`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-08 11:01:10
 
@@ -495,7 +495,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not process media files when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libgstreamer-plugins-base1.0-0`
+- **Products:** `wix`,`pkg:deb/debian/libgstreamer-plugins-base1.0-0`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-24 12:23:52
 
@@ -503,7 +503,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/wix does not connect to TLS servers using OpenSSL.
-- **Products:**: `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
+- **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-20 11:44:34
 
@@ -511,7 +511,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** No attacker-controlled allocation arguments. The fleetdm/wix container runs WiX toolset commands (heat.exe, candle.exe, light.exe) via Wine to compile .wxs files into an MSI. The only input is a volume-mounted temp directory containing Fleet-generated files (main.wxs, heat.wxs, the orbit root directory). None of this feeds attacker-controlled size/alignment values to memalign.
-- **Products:**: `wix`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
+- **Products:** `wix`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-24 12:18:16
 
@@ -519,7 +519,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libpng16-16`
+- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-19 18:03:45
 
@@ -527,7 +527,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libpng16-16`
+- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-19 18:03:33
 
@@ -535,7 +535,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix.
-- **Products:**: `wix`,`pkg:deb/debian/libpng16-16`
+- **Products:** `wix`,`pkg:deb/debian/libpng16-16`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2025-12-19 18:02:56
 
@@ -543,7 +543,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** The WiX toolset is unaffected by the perl vulnerability.
-- **Products:**: `wix`,`pkg:deb/debian/perl-base`
+- **Products:** `wix`,`pkg:deb/debian/perl-base`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2025-10-01 08:36:42
 
@@ -553,7 +553,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** fleetdm/bomutils does not connect to TLS servers using OpenSSL.
-- **Products:**: `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
+- **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy`
 - **Justification:** `vulnerable_code_not_in_execute_path`
 - **Timestamp:** 2026-04-20 11:48:55
 
@@ -561,7 +561,7 @@ Following is the vulnerability report of Fleet and its dependencies.
 - **Author:** @lucasmrod
 - **Status:** `not_affected`
 - **Status notes:** Use of mkbom and xar from fleetdm/bomutils have admin controlled inputs.
-- **Products:**: `bomutils`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
+- **Products:** `bomutils`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin`
 - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
 - **Timestamp:** 2026-03-24 08:41:27
 
diff --git a/tools/vex-parser/vex-parser.go b/tools/vex-parser/vex-parser.go
index 338d926419..51f21abf02 100644
--- a/tools/vex-parser/vex-parser.go
+++ b/tools/vex-parser/vex-parser.go
@@ -81,7 +81,7 @@ func generateMarkdown(vex *OpenVEXDocument) (string, error) {
 			}
 			sb.WriteString(fmt.Sprintf("- **Status notes:** %s\n", statusNotes))
 		}
-		sb.WriteString("- **Products:**: ")
+		sb.WriteString("- **Products:** ")
 		var ids []string
 		for _, product := range stmt.Products {
 			ids = append(ids, "`"+product.ID+"`")