Fixes:
https://github.com/fleetdm/fleet/actions/runs/24980770051/job/73142219314.
Run: https://github.com/fleetdm/fleet/actions/runs/25018399091.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added OpenVEX vulnerability declarations for multiple CVEs, marking
them as not affected for Fleet and fleetctl. Each entry includes
metadata, human-readable status notes, and justifications addressing
exploitability relative to Go runtime, Alpine/musl packages, crypto/SSL
libraries, OpenTelemetry, xmldsig, and media libraries.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Run: https://github.com/fleetdm/fleet/actions/runs/24681592163.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added vulnerability disclosures for three CVEs.
* CVE-2026-27806: marked as not affecting fleetctl.
* CVE-2026-32280: denial-of-service affecting many fleetctl versions;
recommend upgrading to a fleetctl build using Go ≥1.26.2 when available.
* CVE-2026-33810: affects fleetctl v4.84.0; recommend upgrading to a
fleetctl build using Go ≥1.26.2 when available.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR adds VEX statement files for three vulverabilities:
```
┌─────────┬────────────────┬──────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2025-49794 │ CRITICAL │ affected │ 2.9.14+dfsg-1.3~deb12u1 │ │ libxml: Heap use after free (UAF) leads to Denial of service │
│ │ │ │ │ │ │ (DoS)... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49794 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49795 │ │ │ │ │ libxml: Null pointer dereference leads to Denial of service │
│ │ │ │ │ │ │ (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49795 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-49796 │ │ │ │ │ libxml: Type confusion leads to Denial of service (DoS) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-49796 │
└─────────┴────────────────┴──────────┴──────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```
the vulnerabilities in libxml2 do not affect fleetctl, since the attack
vector is DoS and fleetctl is not a server tool. Additionally the
libxml2 package isn't used by fleetctl directly, but by the tools it
uses for code signing, which don't parse untrusted XML.
I fixed [this](https://github.com/fleetdm/fleet/pull/29692) incorrectly
the first time (my trivy setup is broken on my workstation and I missed
the CI check failure on the original PR).
For #28837.
Fixing this all of this because we got multiple reports from the
community and customers and these were also detected by Amazon
Inspector.
- Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2.
- `docker scout` now fails the daily scheduled action if there are
CRITICAL,HIGH CVEs (we missed setting `exit-code: true`).
- Report CVE-2025-46569 as not affected by it because of our use of
OPA's go package.
- Report CVE-2024-8260 as not affected by it because Fleet doesn't run
on Windows.
- The `security/status.md` shows a lot of changes because we are now
sorting CVEs so that newest come first.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
