# Vulnerability Report Following is the vulnerability report of Fleet and its dependencies. ## `fleetdm/fleet` docker image ### [CVE-2026-40200](https://nvd.nist.gov/vuln/detail/CVE-2026-40200) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet runs on 64-bit. The 64-bit trigger is ~23 trillion elements — that requires petabytes of contiguous memory in a single sort call. It is not reachable from any Fleet code path under any real workload. Also, the only way Fleet would touch musl's qsort is through a cgo dependency (SQLite via fts5, the only meaningful cgo path). Even SQLite's internal qsort calls are nowhere near the trigger threshold. - **Products:** `fleet`,`pkg:apk/alpine/musl`,`pkg:apk/alpine/musl-utils` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:51:37 ### [CVE-2026-39883](https://nvd.nist.gov/vuln/detail/CVE-2026-39883) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Exploiting this vulnerability already requires access to the host running the Fleet server (so its practical exploitability appears overstated by the CVSS score / High rating). Also the vulnerability affects BSD and Solaris platforms (which are not supported). - **Products:** `fleet`,`pkg:golang/go.opentelemetry.io/otel/sdk` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 15:03:59 ### [CVE-2026-33487](https://nvd.nist.gov/vuln/detail/CVE-2026-33487) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The loop variable capture is a real code defect, but its practical exploitability as a signature bypass (without possession of the IdP private key in the first place) appears overstated by the CVSS 7.5 / High rating. - **Products:** `fleet`,`pkg:golang/github.com/russellhaering/goxmldsig` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 15:00:17 ### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any. - **Products:** `fleet`,`pkg:golang/google.golang.org/grpc` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-03-24 12:38:53 ### [CVE-2026-32283](https://nvd.nist.gov/vuln/detail/CVE-2026-32283) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.84.2+ when it's available. - **Products:** `fleet`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 15:37:36 ### [CVE-2026-32281](https://nvd.nist.gov/vuln/detail/CVE-2026-32281) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.84.2+ when it's available. - **Products:** `fleet`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 15:37:25 ### [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet connects using TLS to a strict set of URLs (e.g. for vulnerability scanning, Apple VPP features, Google/Android APIs, etc.). Exploiting this vulnerability requires a Fleet administrator to control URLs Fleet connects to (e.g. webhook URLs). This, combined with the fact that the vulnerabilities are DoS (do not affect data confidentiality) we consider this report to be MEDIUM instead of HIGH impact. Nonetheless, we advise upgrading to v4.85.0 when it's available. - **Products:** `fleet`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 15:37:12 ### [CVE-2026-31789](https://nvd.nist.gov/vuln/detail/CVE-2026-31789) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleet uses Go TLS to connect to servers. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:42:11 ### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleet uses Go TLS to connect to servers. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:41:44 ### [CVE-2026-28389](https://nvd.nist.gov/vuln/detail/CVE-2026-28389) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleet uses Go TLS to connect to servers. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:41:34 ### [CVE-2026-28388](https://nvd.nist.gov/vuln/detail/CVE-2026-28388) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleet uses Go TLS to connect to servers. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:41:22 ### [CVE-2026-28387](https://nvd.nist.gov/vuln/detail/CVE-2026-28387) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleet uses Go TLS to connect to servers. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:41:09 ### [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** All url.Parse inputs reachable in Fleet are admin-trusted configuration, not attacker-controlled. Nonetheless, we advise upgrading to v4.84.0 when possible. - **Products:** `fleet`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 17:05:55 ### [CVE-2026-22184](https://nvd.nist.gov/vuln/detail/CVE-2026-22184) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library. - **Products:** `fleet`,`pkg:apk/alpine/zlib@1.3.1-r2` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-13 12:01:11 ### [CVE-2025-9230](https://nvd.nist.gov/vuln/detail/CVE-2025-9230) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet uses Go cryptography packages. - **Products:** `fleet`,`pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-10-01 10:09:03 ### [CVE-2025-69419](https://nvd.nist.gov/vuln/detail/CVE-2025-69419) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet uses Go's crypto and TLS implementation. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-01-03 15:15:53 ### [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet does not mutate CA pool store between TLS sessions. - **Products:** `fleet`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-13 13:23:41 ### [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729) #### Statement: - **Author:** @lucasmrod - **Status:** `fixed` - **Products:** `fleet@v4.78.*` - **Timestamp:** 2025-12-10 19:26:25 #### Statement: - **Author:** @lucasmrod - **Status:** `affected` - **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available. - **Products:** `fleet@v4.77.0`,`fleet@v4.76.0`,`fleet@v4.76.1`,`fleet@v4.75.0`,`fleet@v4.75.1`,`pkg:golang/stdlib@1.25.3` - **Action statement:** `No action statement provided` - **Timestamp:** 2025-12-10 19:26:10 ### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet does not use OPA in server mode, it uses it as a library. - **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa@v0.44.0`,`pkg:golang/github.com/open-policy-agent/opa@0.44.0` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-05-05 20:29:07 ### [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The token format being validated before the call to ParseUnverified. - **Products:** `fleet`,`pkg:golang/github.com/golang-jwt/jwt/v4` - **Justification:** `inline_mitigations_already_exist` - **Timestamp:** 2025-04-10 15:23:54 ### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509) #### Statement: - **Author:** @lucasmrod - **Status:** `fixed` - **Products:** `pkg:golang/github.com/fleetdm/fleet/v4`,`cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:*` - **Timestamp:** 2025-05-12 16:30:30 #### Statement: - **Author:** @lucasmrod - **Status:** `affected` - **Products:** `cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*`,`cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:*` - **Action statement:** `Disable SAML SSO authentication.` - **Timestamp:** 2025-05-12 16:13:23 ### [CVE-2025-26519](https://nvd.nist.gov/vuln/detail/CVE-2025-26519) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet does not perform any EUC-KR to UTF-8 translation by libc. - **Products:** `fleet`,`pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-14 16:30:01 ### [CVE-2025-22874](https://nvd.nist.gov/vuln/detail/CVE-2025-22874) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions). - **Products:** `fleet`,`pkg:golang/stdlib@1.24.2` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-06-23 16:48:42 ### [CVE-2025-21614](https://nvd.nist.gov/vuln/detail/CVE-2025-21614) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0. - **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 15:43:15 ### [CVE-2025-21613](https://nvd.nist.gov/vuln/detail/CVE-2025-21613) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0. - **Products:** `fleet`,`pkg:golang/github.com/go-git/go-git/v5` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 15:42:55 ### [CVE-2025-15467](https://nvd.nist.gov/vuln/detail/CVE-2025-15467) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet uses Go's crypto and TLS implementation. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-01-03 15:15:53 ### [CVE-2024-8260](https://nvd.nist.gov/vuln/detail/CVE-2024-8260) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Fleet doesn't run on Windows, so it's not affected by this vulnerability. - **Products:** `fleet`,`pkg:golang/github.com/open-policy-agent/opa` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-05-05 20:54:14 ### [CVE-2024-12797](https://nvd.nist.gov/vuln/detail/CVE-2024-12797) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet uses Go TLS implementation. - **Products:** `fleet`,`pkg:apk/alpine/libcrypto3`,`pkg:apk/alpine/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 15:15:53 ### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0. - **Products:** `fleet`,`pkg:golang/github.com/goreleaser/nfpm/v2` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 15:28:30 ## `fleetdm/fleetctl` docker image ### [GHSA-72hv-8253-57qq](https://nvd.nist.gov/vuln/detail/GHSA-72hv-8253-57qq) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Vulnerability only affects Java/JVM web applications that use Jackson's asynchronous (non-blocking) JSON parser. - **Products:** `fleetctl`,`pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-13 12:30:33 ### [GHSA-479m-364c-43vc](https://nvd.nist.gov/vuln/detail/GHSA-479m-364c-43vc) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not validate any XML signatures. - **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-23 16:44:57 ### [CVE-2026-40962](https://nvd.nist.gov/vuln/detail/CVE-2026-40962) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl functionality does not make use of ffmpeg. - **Products:** `fleetctl`,`pkg:deb/debian/libavcodec61`,`pkg:deb/debian/libavformat61`,`pkg:deb/debian/libavutil59`,`pkg:deb/debian/libswresample5` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-04-27 17:38:09 ### [CVE-2026-34875](https://nvd.nist.gov/vuln/detail/CVE-2026-34875) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image. - **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-08 12:06:49 ### [CVE-2026-34873](https://nvd.nist.gov/vuln/detail/CVE-2026-34873) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use Mbed TLS. The libmbedcrypto16 package is an unused transitive dependency in the container image. - **Products:** `fleetctl`,`pkg:deb/debian/libmbedcrypto16` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-08 12:06:46 ### [CVE-2026-33810](https://nvd.nist.gov/vuln/detail/CVE-2026-33810) - **Author:** @lucasmrod - **Status:** `affected` - **Products:** `fleetctl@v4.84.0`,`pkg:golang/stdlib@1.26.1` - **Action statement:** `Low probability of exploit: requires the fleetctl admin to (1) trust a private/enterprise CA that uses excluded DNS name constraints, (2) an attacker able to obtain a cert under that CA with a wildcard SAN whose case differs from the excluded constraint, and (3) a MITM or DNS-hijack position between the admin's workstation and the Fleet server. If all conditions are met, the attacker can impersonate the Fleet server over TLS and capture the admin's API token. The Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.` - **Timestamp:** 2026-04-20 14:07:42 ### [CVE-2026-33487](https://nvd.nist.gov/vuln/detail/CVE-2026-33487) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Possible vulnerability in SSO service providers, not in fleetctl command line tool. - **Products:** `fleetctl`,`pkg:golang/github.com/russellhaering/goxmldsig` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-31 09:54:45 ### [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL. - **Products:** `fleetctl`,`pkg:golang/google.golang.org/grpc` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-23 19:20:41 ### [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280) - **Author:** @lucasmrod - **Status:** `affected` - **Products:** `fleetctl@v4.83.2`,`fleetctl@v4.83.1`,`fleetctl@v4.83.0`,`fleetctl@v4.82.2`,`fleetctl@v4.82.1`,`fleetctl@v4.82.0`,`fleetctl@v4.81.3`,`fleetctl@v4.81.2`,`fleetctl@v4.81.1`,`fleetctl@v4.81.0`,`fleetctl@v4.80.3`,`fleetctl@v4.80.2`,`fleetctl@v4.80.1`,`fleetctl@v4.80.0`,`fleetctl@v4.79.1`,`fleetctl@v4.79.0`,`fleetctl@v4.78.3`,`fleetctl@v4.78.2`,`fleetctl@v4.78.1`,`fleetctl@v4.78.0`,`fleetctl@v4.77.1`,`fleetctl@v4.77.0`,`fleetctl@v4.76.2`,`fleetctl@v4.76.1`,`fleetctl@v4.76.0`,`fleetctl@v4.75.2`,`fleetctl@v4.75.1`,`fleetctl@v4.75.0`,`fleetctl@v4.74.0`,`fleetctl@v4.73.5`,`fleetctl@v4.73.4`,`fleetctl@v4.73.3`,`fleetctl@v4.73.2`,`fleetctl@v4.73.1`,`fleetctl@v4.73.0`,`fleetctl@v4.72.1`,`fleetctl@v4.72.0`,`fleetctl@v4.71.1`,`fleetctl@v4.71.0`,`fleetctl@v4.70.1`,`fleetctl@v4.70.0`,`fleetctl@v4.69.0`,`fleetctl@v4.68.1`,`fleetctl@v4.68.0`,`fleetctl@v4.67.3`,`fleetctl@v4.67.2`,`fleetctl@v4.67.1`,`fleetctl@v4.67.0`,`fleetctl@v4.66.0`,`fleetctl@v4.65.0`,`fleetctl@v4.64.2`,`fleetctl@v4.64.1`,`fleetctl@v4.64.0`,`fleetctl@v4.63.2`,`fleetctl@v4.63.1`,`fleetctl@v4.63.0`,`fleetctl@v4.62.4`,`fleetctl@v4.62.3`,`fleetctl@v4.62.2`,`fleetctl@v4.62.1`,`fleetctl@v4.62.0`,`fleetctl@v4.61.0`,`fleetctl@v4.60.1`,`fleetctl@v4.60.0`,`fleetctl@v4.59.1`,`fleetctl@v4.59.0`,`fleetctl@v4.58.1`,`fleetctl@v4.58.0`,`fleetctl@v4.57.3`,`fleetctl@v4.57.2`,`fleetctl@v4.57.1`,`fleetctl@v4.57.0`,`fleetctl@v4.56.0`,`fleetctl@v4.55.2`,`fleetctl@v4.55.1`,`fleetctl@v4.55.0`,`fleetctl@v4.54.2`,`fleetctl@v4.54.1`,`fleetctl@v4.54.0`,`fleetctl@v4.53.2`,`fleetctl@v4.53.1`,`fleetctl@v4.53.0`,`fleetctl@v4.52.0`,`fleetctl@v4.51.1`,`fleetctl@v4.51.0`,`fleetctl@v4.50.2`,`fleetctl@v4.50.1`,`fleetctl@v4.50.0`,`fleetctl@v4.49.4`,`fleetctl@v4.49.3`,`fleetctl@v4.49.2`,`fleetctl@v4.49.1`,`fleetctl@v4.49.0`,`fleetctl@v4.48.3`,`fleetctl@v4.48.2`,`fleetctl@v4.48.1`,`fleetctl@v4.48.0`,`fleetctl@v4.47.3`,`fleetctl@v4.47.2`,`fleetctl@v4.47.1`,`fleetctl@v4.47.0`,`fleetctl@v4.46.2`,`fleetctl@v4.46.1`,`fleetctl@v4.46.0`,`fleetctl@v4.45.1`,`fleetctl@v4.45.0`,`fleetctl@v4.44.1`,`fleetctl@v4.44.0`,`fleetctl@v4.43.3`,`fleetctl@v4.43.2`,`fleetctl@v4.43.1`,`fleetctl@v4.43.0`,`fleetctl@v4.42.0`,`fleetctl@v4.41.1`,`fleetctl@v4.41.0`,`fleetctl@v4.40.0`,`fleetctl@v4.39.0`,`fleetctl@v4.38.1`,`fleetctl@v4.38.0`,`fleetctl@v4.37.0`,`fleetctl@v4.36.0`,`fleetctl@v4.35.2`,`fleetctl@v4.35.1`,`fleetctl@v4.35.0`,`fleetctl@v4.34.1`,`fleetctl@v4.34.0`,`fleetctl@v4.33.1`,`fleetctl@v4.33.0`,`fleetctl@v4.32.0`,`fleetctl@v4.31.1`,`fleetctl@v4.31.0`,`fleetctl@v4.30.1`,`fleetctl@v4.30.0`,`fleetctl@v4.29.1`,`fleetctl@v4.29.0`,`fleetctl@v4.28.1`,`fleetctl@v4.28.0`,`fleetctl@v4.27.1`,`fleetctl@v4.27.0`,`fleetctl@v4.26.0`,`fleetctl@v4.25.0`,`fleetctl@v4.24.1`,`fleetctl@v4.24.0`,`fleetctl@v4.23.0`,`fleetctl@v4.22.1`,`fleetctl@v4.22.0`,`fleetctl@v4.21.0`,`fleetctl@v4.20.1`,`fleetctl@v4.20.0`,`fleetctl@v4.19.1`,`fleetctl@v4.19.0`,`fleetctl@v4.18.0`,`fleetctl@v4.17.1`,`fleetctl@v4.17.0`,`fleetctl@v4.16.0`,`fleetctl@v4.15.0`,`fleetctl@v4.14.0`,`fleetctl@v4.13.2`,`fleetctl@v4.13.1`,`fleetctl@v4.13.0`,`fleetctl@v4.12.1`,`fleetctl@v4.12.0`,`fleetctl@v4.11.0`,`fleetctl@v4.10.0`,`fleetctl@v4.9.1`,`fleetctl@v4.9.0`,`fleetctl@v4.8.0`,`fleetctl@v4.7.0`,`fleetctl@v4.6.2`,`fleetctl@v4.6.1`,`fleetctl@v4.6.0`,`fleetctl@v4.5.1`,`fleetctl@v4.5.0`,`fleetctl@v4.4.3`,`fleetctl@v4.4.2`,`fleetctl@v4.4.1`,`fleetctl@v4.4.0`,`fleetctl@v4.3.2`,`fleetctl@v4.3.1`,`fleetctl@v4.3.0`,`fleetctl@v4.2.4`,`fleetctl@v4.2.3`,`fleetctl@v4.2.2`,`fleetctl@v4.2.1`,`fleetctl@v4.2.0`,`fleetctl@v4.1.0`,`fleetctl@v4.0.1`,`fleetctl@v4.0.0`,`fleetctl@v3.13.0`,`fleetctl@v3.12.0`,`fleetctl@v3.11.0`,`fleetctl@v3.10.1`,`fleetctl@v3.10.0`,`fleetctl@v3.9.0`,`fleetctl@v3.8.0`,`fleetctl@v3.7.4`,`fleetctl@v3.7.1`,`fleetctl@v3.7.0`,`fleetctl@v3.6.0`,`fleetctl@v3.5.1`,`fleetctl@v3.5.0`,`fleetctl@v3.4.0`,`fleetctl@v3.3.0`,`pkg:golang/stdlib@1.25.7` - **Action statement:** `Low impact: denial-of-service (high CPU) on the host running fleetctl if it connects to a hostile TLS peer (malicious/compromised Fleet server, or MITM presenting a valid-looking cert) that sends many intermediate certificates. No code execution or data disclosure, and the Fleet server itself is unaffected. Upgrade to a fleetctl build using Go >= 1.26.2 when available.` - **Timestamp:** 2026-04-20 14:00:03 ### [CVE-2026-27806](https://nvd.nist.gov/vuln/detail/CVE-2026-27806) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Vulnerability in orbit not fleetctl. - **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-20 13:46:50 ### [CVE-2026-27465](https://nvd.nist.gov/vuln/detail/CVE-2026-27465) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** This is a vulnerability in Fleet, not fleetctl. - **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-13 12:33:34 ### [CVE-2026-26061](https://nvd.nist.gov/vuln/detail/CVE-2026-26061) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Vulnerability in fleet server, not fleetctl. - **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-03-31 09:36:31 ### [CVE-2026-25679](https://nvd.nist.gov/vuln/detail/CVE-2026-25679) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL. - **Products:** `fleetctl`,`pkg:golang/stdlib` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-03-23 19:12:15 ### [CVE-2026-24515](https://nvd.nist.gov/vuln/detail/CVE-2026-24515) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined. - **Products:** `fleetctl`,`pkg:deb/debian/libexpat1` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-01-03 15:15:53 ### [CVE-2026-23517](https://nvd.nist.gov/vuln/detail/CVE-2026-23517) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives. - **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4` - **Justification:** `component_not_present` - **Timestamp:** 2026-01-30 09:25:41 ### [CVE-2026-0968](https://nvd.nist.gov/vuln/detail/CVE-2026-0968) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use libssh. The libssh-4 package is an unused transitive dependency in the container image. - **Products:** `fleetctl`,`pkg:deb/debian/libssh-4` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-08 12:06:51 ### [CVE-2025-69419](https://nvd.nist.gov/vuln/detail/CVE-2025-69419) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleet uses Go's crypto and TLS implementation. - **Products:** `fleetctl`,`pkg:deb/debian/libssl3`,`pkg:deb/debian/openssl` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-01-03 15:15:53 ### [CVE-2025-66516](https://nvd.nist.gov/vuln/detail/CVE-2025-66516) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents. - **Products:** `fleetctl`,`pkg:maven/org.apache.tika/tika-core` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-10 18:12:45 ### [CVE-2025-66293](https://nvd.nist.gov/vuln/detail/CVE-2025-66293) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing. - **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-10 19:04:58 ### [CVE-2025-65018](https://nvd.nist.gov/vuln/detail/CVE-2025-65018) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing. - **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-10 19:04:42 ### [CVE-2025-64720](https://nvd.nist.gov/vuln/detail/CVE-2025-64720) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing. - **Products:** `fleetctl`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-10 19:04:07 ### [CVE-2025-61729](https://nvd.nist.gov/vuln/detail/CVE-2025-61729) #### Statement: - **Author:** @lucasmrod - **Status:** `fixed` - **Products:** `fleetctl@v4.78.*` - **Timestamp:** 2025-12-10 19:26:44 #### Statement: - **Author:** @lucasmrod - **Status:** `affected` - **Status notes:** This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available. - **Products:** `fleetctl@v4.77.0`,`fleetctl@v4.76.0`,`fleetctl@v4.76.1`,`fleetctl@v4.75.0`,`fleetctl@v4.75.1`,`pkg:golang/stdlib@1.25.3` - **Action statement:** `No action statement provided` - **Timestamp:** 2025-12-10 19:26:35 ### [CVE-2025-49796](https://nvd.nist.gov/vuln/detail/CVE-2025-49796) - **Author:** @sgress454 - **Status:** `not_affected` - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation. - **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-06-13 15:57:38 ### [CVE-2025-49795](https://nvd.nist.gov/vuln/detail/CVE-2025-49795) - **Author:** @sgress454 - **Status:** `not_affected` - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation. - **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-06-13 15:57:25 ### [CVE-2025-49794](https://nvd.nist.gov/vuln/detail/CVE-2025-49794) - **Author:** @sgress454 - **Status:** `not_affected` - **Status notes:** The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation. - **Products:** `fleetctl`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1`,`pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-06-13 15:56:50 ### [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers. - **Products:** `fleetctl`,`pkg:maven/commons-beanutils/commons-beanutils` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-06-02 07:33:44 ### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use OPA. - **Products:** `fleetctl`,`pkg:golang/github.com/open-policy-agent/opa` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-05-06 07:47:31 ### [CVE-2025-41249](https://nvd.nist.gov/vuln/detail/CVE-2025-41249) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Vulnerability affects web servers, not fleetctl. - **Products:** `fleetctl`,`pkg:maven/org.springframework/spring-core` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-09-22 10:27:40 ### [CVE-2025-31115](https://nvd.nist.gov/vuln/detail/CVE-2025-31115) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use liblzma5. - **Products:** `fleetctl`,`pkg:deb/debian/liblzma5` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-09 13:24:20 ### [CVE-2025-27509](https://nvd.nist.gov/vuln/detail/CVE-2025-27509) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives. - **Products:** `fleetctl`,`pkg:golang/github.com/fleetdm/fleet/v4` - **Justification:** `component_not_present` - **Timestamp:** 2025-09-12 09:25:41 ### [CVE-2025-15467](https://nvd.nist.gov/vuln/detail/CVE-2025-15467) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl uses Go's crypto and TLS implementation. - **Products:** `fleetctl`,`pkg:deb/debian/openssl`,`pkg:deb/debian/libssl3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-01-03 15:15:53 ### [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use Java. - **Products:** `fleetctl`,`pkg:maven/com.google.protobuf/protobuf-java` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 07:34:26 ### [CVE-2023-6879](https://nvd.nist.gov/vuln/detail/CVE-2023-6879) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use libaom3. - **Products:** `fleetctl`,`pkg:deb/debian/libaom3` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-15 10:28:21 ### [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use zlib C library. - **Products:** `fleetctl`,`pkg:deb/debian/zlib1g` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-15 10:17:19 ### [CVE-2023-32698](https://nvd.nist.gov/vuln/detail/CVE-2023-32698) - **Author:** @getvictor - **Status:** `not_affected` - **Status notes:** When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions. - **Products:** `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-04-09 10:26:02 ### [CVE-2019-10202](https://nvd.nist.gov/vuln/detail/CVE-2019-10202) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use Java. - **Products:** `fleetctl`,`pkg:maven/org.codehaus.jackson/jackson-mapper-asl` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-15 10:31:31 ### [CVE-2013-4002](https://nvd.nist.gov/vuln/detail/CVE-2013-4002) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use Java. - **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 07:36:31 ### [CVE-2012-0881](https://nvd.nist.gov/vuln/detail/CVE-2012-0881) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use Java. - **Products:** `fleetctl`,`pkg:maven/xerces/xercesImpl` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-04-10 14:46:52 ## `fleetdm/wix` docker image ### [CVE-2026-5201](https://nvd.nist.gov/vuln/detail/CVE-2026-5201) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do JPEG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libgdk-pixbuf-2.0-0`,`pkg:deb/debian/libgdk-pixbuf2.0-common` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-20 11:41:33 ### [CVE-2026-4775](https://nvd.nist.gov/vuln/detail/CVE-2026-4775) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do TIFF processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libtiff6` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-20 11:42:37 ### [CVE-2026-33636](https://nvd.nist.gov/vuln/detail/CVE-2026-33636) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libpng16-16t64` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-08 11:43:22 ### [CVE-2026-33416](https://nvd.nist.gov/vuln/detail/CVE-2026-33416) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libpng16-16t64` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-08 11:01:10 ### [CVE-2026-31789](https://nvd.nist.gov/vuln/detail/CVE-2026-31789) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL. - **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:22:53 ### [CVE-2026-2921](https://nvd.nist.gov/vuln/detail/CVE-2026-2921) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not process media files when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libgstreamer-plugins-base1.0-0` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-03-24 12:23:52 ### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/wix does not connect to TLS servers using OpenSSL. - **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-20 11:44:34 ### [CVE-2026-28389](https://nvd.nist.gov/vuln/detail/CVE-2026-28389) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL. - **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:24:11 ### [CVE-2026-28388](https://nvd.nist.gov/vuln/detail/CVE-2026-28388) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL. - **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:23:56 ### [CVE-2026-28387](https://nvd.nist.gov/vuln/detail/CVE-2026-28387) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/wix to connect to TLS servers using OpenSSL. - **Products:** `wix`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:23:45 ### [CVE-2026-0861](https://nvd.nist.gov/vuln/detail/CVE-2026-0861) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** No attacker-controlled allocation arguments. The fleetdm/wix container runs WiX toolset commands (heat.exe, candle.exe, light.exe) via Wine to compile .wxs files into an MSI. The only input is a volume-mounted temp directory containing Fleet-generated files (main.wxs, heat.wxs, the orbit root directory). None of this feeds attacker-controlled size/alignment values to memalign. - **Products:** `wix`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-03-24 12:18:16 ### [CVE-2025-66293](https://nvd.nist.gov/vuln/detail/CVE-2025-66293) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-19 18:03:45 ### [CVE-2025-65018](https://nvd.nist.gov/vuln/detail/CVE-2025-65018) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-19 18:03:33 ### [CVE-2025-64720](https://nvd.nist.gov/vuln/detail/CVE-2025-64720) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not do PNG processing when using fleetdm/wix. - **Products:** `wix`,`pkg:deb/debian/libpng16-16` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2025-12-19 18:02:56 ### [CVE-2023-31484](https://nvd.nist.gov/vuln/detail/CVE-2023-31484) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** The WiX toolset is unaffected by the perl vulnerability. - **Products:** `wix`,`pkg:deb/debian/perl-base` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2025-10-01 08:36:42 ## `fleetdm/bomutils` docker image ### [CVE-2026-31789](https://nvd.nist.gov/vuln/detail/CVE-2026-31789) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL. - **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:28:25 ### [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetdm/bomutils does not connect to TLS servers using OpenSSL. - **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-20 11:48:55 ### [CVE-2026-28389](https://nvd.nist.gov/vuln/detail/CVE-2026-28389) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL. - **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:29:08 ### [CVE-2026-28388](https://nvd.nist.gov/vuln/detail/CVE-2026-28388) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL. - **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:28:53 ### [CVE-2026-28387](https://nvd.nist.gov/vuln/detail/CVE-2026-28387) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** fleetctl does not use fleetdm/bomutils to connect to TLS servers using OpenSSL. - **Products:** `bomutils`,`pkg:deb/debian/libssl3t64`,`pkg:deb/debian/openssl`,`pkg:deb/debian/openssl-provider-legacy` - **Justification:** `vulnerable_code_not_in_execute_path` - **Timestamp:** 2026-04-27 14:28:43 ### [CVE-2026-0861](https://nvd.nist.gov/vuln/detail/CVE-2026-0861) - **Author:** @lucasmrod - **Status:** `not_affected` - **Status notes:** Use of mkbom and xar from fleetdm/bomutils have admin controlled inputs. - **Products:** `bomutils`,`pkg:deb/debian/libc6`,`pkg:deb/debian/libc-bin` - **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary` - **Timestamp:** 2026-03-24 08:41:27