Printed from CheckTick DSPT Compliance Documentation
Vulnerability & Patch Log (Evidence 8.2.1)
Owner: Dr Simon Chapman (CTO) Reviewed and Approved By: Dr Serena Haywood (SIRO) Last SIRO Review: March 2026 Next Review: June 2026 Last Updated: 10 April 2026
Threat intelligence is sourced from NCSC Early Warning, GitHub Security Advisories, and OWASP and is reviewed as a standing item in our quarterly security meeting. Significant threat intelligence events are recorded in this log.
Monitoring Tools: pip-audit, ggshield (via pre-commit), GitHub Dependabot, CodeQL.
1. Active Vulnerability Exceptions (Open & Ignored)
Current Status: 1 active exception. Monitoring for upstream fix.
| Dependency | CVE | Affected Version | Justification | Date Added | Review Date |
|---|---|---|---|---|---|
pygments |
CVE-2026-4539 | โค 2.19.2 (no fix released) | Local-access-only ReDoS in AdlLexer (pygments/lexers/archetype.py). Not network-exploitable. No patched version available upstream; project has not yet responded to the disclosure. Exception will be removed as soon as a fixed release is published on PyPI. |
27/03/2026 | 27/04/2026 |
Our security scanning pipeline otherwise operates with zero vulnerability exceptions. All dependencies are monitored in real-time and any new vulnerabilities will cause immediate CI/CD pipeline failure.
Previously Active Exceptions (Now Resolved - January 2025)
The following vulnerabilities were previously silenced but have been fully remediated through dependency architecture improvements:
| Dependency | CVE / GHSA | Resolution Method | Date Resolved |
|---|---|---|---|
Transitive (via ggshield) |
GHSA-79v4-65xg-pq4g | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-48p4-8xcf-vxj5 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-pq67-6m6q-mj2v | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-gm62-xv2j-4w53 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-2xpw-w6gg-jr37 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-wj6h-64fc-37mp | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
PYSEC-2024-187 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-428g-f7cq-pgp5 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-38jv-5279-wg99 | Isolated ggshield to pre-commit environment |
18/01/2026 |
cryptography |
CVE-2024-12797 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-50182 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-50181 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-66418 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-66471 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2024-3766 | Removed dependency pin, updated to latest | 18/01/2026 |
ecdsa |
CVE-2024-23342 | Removed python-jose dependency entirely |
18/01/2026 |
pygments |
CVE-2026-4539 | โค 2.19.2 (no fix released) | Local-access-only ReDoS |
in AdlLexer. Not network-exploitable. No patched version available upstream. |
|||
| Exception will be removed as soon as a fixed release is published on PyPI. | |||
| SIRO sign-off: Dr Serena Haywood, 29/03/2026. Under monthly review. | |||
| 27/03/2026 | 27/04/2026 |
2. Recently Remediated Patches (Closed)
Verified history of security updates applied. Real-time evidence is available in the CheckTick GitHub repository under the dependencies label and closed issues.
| Date | Dependency | Version Change | Reason / Security Fix | Verified By |
|---|---|---|---|---|
| 10/04/2026 | cryptography |
46.0.6 -> 46.0.7 | Security Fix: CVE-2026-39892 โ Non-contiguous buffer passed to APIs accepting Python buffers (e.g. Hash.update()) could lead to buffer overflows on Python >3.11. Upgraded to 46.0.7 which validates buffer contiguity before processing. |
CTO |
| 10/04/2026 | django |
5.2.12 -> 5.2.13 | Security Fix (5 CVEs): CVE-2026-33033 โ MultiPartParser allows remote attackers to degrade performance via Content-Transfer-Encoding: base64 uploads with excessive whitespace. CVE-2026-33034 โ ASGI requests with missing/understated Content-Length could bypass DATA_UPLOAD_MAX_MEMORY_SIZE, allowing unbounded request body loading. CVE-2026-4292 โ Admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created via forged POST data. CVE-2026-4277 โ Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin. CVE-2026-3902 โ ASGIRequest allowed header spoofing by exploiting an ambiguous mapping of headers with hyphens vs underscores. |
CTO |
| 29/03/2026 | ReDoc |
2.1.5 -> 2.5.2 | Dependency Upgrade: Updated self-hosted ReDoc to 2.5.2. Asset sourced via npm pack redoc@2.5.2; SHA-384 SRI hash regenerated and updated in checktick_app/api/templates/api/redoc.html and docs/cdn-libraries.md. |
CTO |
| 27/03/2026 | cryptography |
46.0.5 -> 46.0.6 | Security Fix: CVE-2026-34073 โ DNS name constraints were only validated against SANs in child certificates and not against the peer name presented during validation. A peer named bar.example.com could validate against *.example.com even if an excluded subtree constraint for bar.example.com existed in a parent certificate. Upgraded to 46.0.6 which now rejects any validation where the peer name would be rejected by a name constraint if it were a SAN. |
CTO |
| 27/03/2026 | requests |
2.32.5 -> 2.33.0 | Security Fix: CVE-2026-25645 โ extract_zipped_paths() used a predictable temp filename allowing a local attacker to pre-create a malicious file. Upgraded to 2.33.0 where extraction uses a non-deterministic location. |
CTO |
| 25/03/2026 | CSP base-uri |
โ | Security Hardening (AD10): Added base-uri: 'self' directive to CONTENT_SECURITY_POLICY in checktick_app/settings.py. Prevents base-tag injection attacks where an attacker could redirect relative URL resolution to an attacker-controlled origin. |
CTO |
| 25/03/2026 | Admin URL path | /admin/ โ /ct-admin/ |
Security Hardening (AD11): Moved Django admin from default /admin/ path to /ct-admin/ in checktick_app/urls.py. Automated scanners probing the default path receive 404s. Primary protection remains CheckTickAdminSite returning 404 to all non-superusers. |
CTO |
| 20/03/2026 | swagger-ui-dist |
5.17.14 -> Removed | Security โ Bootstrap 3.x bundled dependency. Swagger UI bundles Bootstrap 3.x (via SwaggerUIStandalonePreset) which contains multiple known XSS and prototype-pollution CVEs. Swagger UI was removed entirely and replaced with self-hosted ReDoc 2.1.5 (Bootstrap-free, no external CDN calls, no Google Fonts). The /api/docs route has been removed; /api/redoc remains the single interactive docs endpoint. |
CTO |
| 20/03/2026 | ReDoc |
CDN (v2.1.5) -> self-hosted (v2.1.5) | Served from checktick_app/static/js/redoc.standalone.min.js with SHA-384 SRI verification. Google Fonts CDN call (fonts.googleapis.com) removed from the ReDoc template, eliminating third-party data exfiltration of visitor IPs. Asset sourced via npm pack redoc@2.1.5 for reproducibility. |
CTO |
| 14/03/2026 | black |
24.10.0 -> 26.3.1 | CVE-2026-32274 | CTO |
| 14/03/2026 | pyjwt |
2.10.1 -> 2.12.1 | CVE-2026-32597 | CTO |
| 05/03/2026 | django |
5.2.11 -> 5.2.12 | CVE-2026-25673 and CVE-2026-25674 fixes | CTO |
| 22/02/2026 | SortableJS |
1.15.6 -> 1.15.7 | Updated to patched upstream release; regenerated SRI and self-hosted artifact. | CTO |
| 22/02/2026 | django-csp |
4.0 | CSP_CONFIG replaces CONTENT_SECURITY_POLICY | CTO |
| 12/02/2026 | pillow |
11.3.0 -> 12.1.1 | Security Fix: Fixed CVE-2026-25990 (out-of-bounds write in PSD image loader). Specially crafted PSD images could trigger memory corruption. All Pillow >= 10.3.0 users affected. | CTO |
| 12/02/2026 | marshmallow |
3.18.0 -> 3.26.2 | Security Fix: Fixed CVE-2025-68480 (transitive dependency). Updated to latest secure version. | CTO |
| 12/02/2026 | pip |
25.3 -> 26.0.1 | Security Fix: Fixed CVE-2026-1703. Updated to latest secure version. | CTO |
| 10/02/2026 | cryptography |
46.0.3 -> 46.0.5 | Security Fix: Fixed CVE-2026-26007 (SECT curve public key validation bypass). Functions public_key_from_numbers, load_der_public_key, and load_pem_public_key now verify points belong to expected prime-order subgroup, preventing ECDSA signature forgery and ECDH key leakage. |
CTO |
| 04/02/2026 | django |
5.1.x -> 5.2.11 | Critical Security Update: Fixed CVE-2025-13473 (timing attack in mod_wsgi auth), CVE-2026-1207 (SQL injection in RasterField), CVE-2026-1312 (SQL injection in QuerySet.order_by), CVE-2026-1287 (SQL injection in FilteredRelation) | CTO |
| 04/02/2026 | django-axes |
6.5.2 -> 8.1.0 | Updated for Django 6.0 compatibility. Adds enhanced brute-force protection features. | CTO |
| 04/02/2026 | django-csp |
3.8 -> 4.0 | Breaking Change: Migrated to new CONTENT_SECURITY_POLICY configuration format. Updated @csp_exempt decorator syntax. | CTO |
| 04/02/2026 | pip-audit |
2.7.3 -> 2.10.0 | Updated vulnerability scanning tool to latest version | CTO |
| 21/01/2026 | axes-core |
4.11.0 -> 4.11.1 | Patch version upgrade to latest stable | CTO |
| 18/01/2026 | python-jose |
3.5.0 -> Removed | Eliminated vulnerable ecdsa transitive dependency. JWT functionality provided by djangorestframework-simplejwt |
CTO |
| 18/01/2026 | ggshield |
Moved to pre-commit | Architecture Change: Isolated security scanning tool from production dependencies. Prevents dependency pins from blocking security updates. | CTO |
| 18/01/2026 | cryptography |
Unpinned -> Latest | Removed pin previously required by ggshield. Now free to update immediately when patches released. |
CTO |
| 18/01/2026 | urllib3 |
Unpinned -> Latest | Removed pin previously required by ggshield. Resolved 5 CVEs (CVE-2025-50182, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2024-3766). |
CTO |
| 02/01/2026 | requests |
2.31.0 -> 2.32.0 | Fixed CVE-2024-3651 (Header parsing) | CTO |
| 28/12/2025 | daisyui |
4.x -> 5.4.7 | Dependency refresh & security hardening | CTO |
| 05/12/2025 | jinja2 |
3.1.2 -> 3.1.4 | Fixed GHSA-h75v-3vv6-5qhc (XSS risk) | CTO |
| 12/11/2025 | django |
5.0.x -> 5.1.0 | Minor version upgrade to latest stable | CTO |
3. Automation & Triage Process
- Continuous Auditing: Our
Security ScanGitHub Action runs on every Push, Pull Request, and daily at 06:00 UTC. - Hard Block on Production: If
pip-auditdetects any vulnerability (Critical, High, Medium, or Low), the build fails and deployment is automatically blocked. No exceptions are configured. - Isolated Security Tooling: Security scanning tools (
ggshield,pre-commit) run in isolated environments managed by pre-commit, preventing their dependencies from constraining production packages. - Zero-Exception Policy: Since January 2026, we maintain a zero-exception policy for vulnerability scanning. This ensures immediate visibility and remediation of any new vulnerabilities.
- Endpoint Sync: Developers are required to run
poetry installlocally to synchronize their development environment with the latest patched versions inpoetry.lock, preventing 'version drift' between local and production environments.
4. Architecture Improvements (January 2026)
Key Change: Separated security scanning tool dependencies from application runtime dependencies.
Before:
- Security tools (
ggshield) were installed via Poetry alongside application dependencies - Security tools pinned critical dependencies (
cryptography,urllib3) to outdated versions - Required maintaining an exception list of 10+ vulnerabilities
- Could not update vulnerable dependencies without breaking security tools
After:
- Security tools run in isolated pre-commit environments
- Production dependencies are free to update immediately when patches are released
- Zero vulnerabilities in production dependency tree
- Zero exceptions required in CI/CD pipeline
- Improved security posture and maintainability
This architectural change represents a significant improvement in our security monitoring capability while simultaneously reducing our vulnerability exposure.
5. CDN Artifact Handling & Integrity (January 2026)
Change: Updated automated CDN library refresh workflow to use npm pack as the canonical source for packaged JavaScript assets and to compute SRI from the package contents.
- Reason: Downloading files directly into the repository root from third-party CDNs caused temporary artifacts to remain after workflow runs (triggering security scanners such as CodeQL). Using
npm packensures the registry is the authoritative source and the artifact bytes are reproducible. - What changed: The
update-cdn-librariesGitHub Action now:- Runs
npm pack <pkg>@<version>in a temporary directory - Extracts the tarball, finds the minified asset, computes SHA-384 SRI from the file bytes, and atomically moves the asset into
checktick_app/static/js/ - Cleans up temporary files and directories using traps to avoid leaving files in the repository
- Runs
- Outcome: SRI values are computed from the exact npm package bytes; temporary files no longer appear in the repo root; CodeQL false-positives reduced.
Evidence: PR #155 updates the workflow and documentation to reflect this change and updates axe-core to 4.11.1 with the new SRI hash.