Vulnerability & Patch Log (Evidence 8.2.1)

Owner: Dr Simon Chapman (CTO) Reviewed and Approved By: Dr Serena Haywood (SIRO) Last SIRO Review: March 2026 Next Review: June 2026 Last Updated: 20 May 2026

Threat intelligence is sourced from NCSC Early Warning, GitHub Security Advisories, and OWASP and is reviewed as a standing item in our quarterly security meeting. Significant threat intelligence events are recorded in this log.

Monitoring Tools: pip-audit, ggshield (via pre-commit), GitHub Dependabot, CodeQL.

1. Active Vulnerability Exceptions (Open & Ignored)

Current Status: 3 active exceptions. Monitoring for upstream fixes.

Dependency CVE/PYSEC Affected Version Justification Date Added Review Date
pygments CVE-2026-4539 โ‰ค 2.19.2 (no fix released) Local-access-only ReDoS in AdlLexer (pygments/lexers/archetype.py). Not network-exploitable. No patched version available upstream; project has not yet responded to the disclosure. Exception will be removed as soon as a fixed release is published on PyPI. 27/03/2026 27/04/2026
pyjwt PYSEC-2025-183 2.12.1 (latest; disputed) Disputed by upstream supplier. The PYSEC flags "weak encryption" but the PyJWT maintainers note the key length is the responsibility of the calling application, not the library. We are already on the latest released version (2.12.1); no patched release exists. Key length requirements are enforced by our application configuration. Exception will be removed if an upstream fix is released. 20/05/2026 20/06/2026
markdown PYSEC-2026-89 3.10.2 (latest; OSV database issue) OSV database has not cleared this advisory against latest release. Package was updated from 3.10 โ†’ 3.10.2 (the fix was acknowledged by the vendor for 3.8.1+). pip-audit continues to flag 3.10.2 with no fix version listed, indicating the OSV record is either stale or incorrectly scoped. We are on the latest available release. Exception will be removed once the OSV/PYSEC record is corrected upstream or a further patched release is confirmed clear by pip-audit. 20/05/2026 20/06/2026

Our security scanning pipeline otherwise operates with zero vulnerability exceptions. All dependencies are monitored in real-time and any new vulnerabilities will cause immediate CI/CD pipeline failure.

Previously Active Exceptions (Now Resolved - January 2025)

The following vulnerabilities were previously silenced but have been fully remediated through dependency architecture improvements:

Dependency CVE / GHSA Resolution Method Date Resolved
Transitive (via ggshield) GHSA-79v4-65xg-pq4g Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-48p4-8xcf-vxj5 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-pq67-6m6q-mj2v Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-gm62-xv2j-4w53 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-2xpw-w6gg-jr37 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-wj6h-64fc-37mp Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) PYSEC-2024-187 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-428g-f7cq-pgp5 Isolated ggshield to pre-commit environment 18/01/2026
Transitive (via ggshield) GHSA-38jv-5279-wg99 Isolated ggshield to pre-commit environment 18/01/2026
cryptography CVE-2024-12797 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-50182 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-50181 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-66418 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2025-66471 Removed dependency pin, updated to latest 18/01/2026
urllib3 CVE-2024-3766 Removed dependency pin, updated to latest 18/01/2026
ecdsa CVE-2024-23342 Removed python-jose dependency entirely 18/01/2026
pygments CVE-2026-4539 โ‰ค 2.19.2 (no fix released) Local-access-only ReDoS

in AdlLexer. Not network-exploitable. No patched version available upstream. Exception will be removed as soon as a fixed release is published on PyPI. SIRO sign-off: Dr Serena Haywood, 29/03/2026. Under monthly review. | 27/03/2026 | 27/04/2026 |

2. Recently Remediated Patches (Closed)

Verified history of security updates applied. Real-time evidence is available in the CheckTick GitHub repository under the dependencies label and closed issues.

Date Dependency Version Change Reason / Security Fix Verified By
20/05/2026 markdown 3.10 -> 3.10.2 Security Fix: PYSEC-2026-89 โ€” malformed HTML-like sequences could cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Python-Markdown did not catch this exception, enabling remote unauthenticated Denial of Service in any application rendering attacker-controlled Markdown. Updated pyproject.toml constraint from ^3.6 to >=3.10.1; poetry.lock updated. CTO
20/05/2026 idna 3.11 -> 3.15 Security Fix: CVE-2026-45409 โ€” Incomplete fix for CVE-2024-3651. The valid_contexto function was invoked prior to input-length rejection, allowing payloads such as "\u0660" * N to consume significant CPU resources before being rejected, enabling denial-of-service via specially crafted arguments to idna.encode(). Fixed in 3.14 (fast-path rejection for long inputs) and extended in 3.15 (per-label conversions and codec support). Added explicit idna = ">=3.15" constraint to pyproject.toml; poetry.lock updated. CTO
20/05/2026 pymdown-extensions 10.20.1 -> 10.21.3 Security Fix: CVE-2026-46338 โ€” Regression of CVE-2023-32309 (GHSA-jh85-wwv9-24hv) fix in pymdownx.snippets. The restrict_base_path: True containment check used a plain str.startswith(base) comparison which does not enforce a directory boundary. A markdown snippet directive such as --8<-- "../docs_secret/leak.txt" could read files from sibling directories sharing the same path prefix (e.g. /x/docs_secret bypasses a base of /x/docs). Fixed in 10.21.3 by appending os.sep to the base before the prefix check. Updated pyproject.toml constraint from ^10.0 to >=10.21.3; poetry.lock updated. CTO
14/05/2026 urllib3 2.6.3 -> 2.7.0 Security Fix (2 CVEs): CVE-2026-44431 โ€” sensitive headers (Authorization, Cookie, Proxy-Authorization) were not stripped on cross-origin redirects when using the low-level ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) API. CVE-2026-44432 โ€” streaming API could decompress the full response body instead of only the requested bytes when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, enabling potential denial of service via decompression bombs. Added explicit urllib3 = ">=2.7.0" constraint to pyproject.toml; poetry.lock updated. CTO
09/05/2026 django 5.2.13 -> 5.2.14 Security Fix (3 CVEs): CVE-2026-35192 โ€” with SESSION_SAVE_EVERY_REQUEST=True, response cache variation on cookies could be insufficient when the session is unmodified, enabling session theft after visits to cached public pages. CVE-2026-6907 โ€” django.middleware.cache.UpdateCacheMiddleware could cache responses where Vary: * is present, potentially storing and serving private data. CVE-2026-5766 โ€” ASGI requests with missing/understated Content-Length could bypass FILE_UPLOAD_MAX_MEMORY_SIZE, enabling large in-memory uploads and service degradation. Updated pyproject.toml constraint and poetry.lock. CTO
09/05/2026 axe-core 4.11.3 -> 4.11.4 Security/maintenance patch: Updated self-hosted checktick_app/static/js/axe-core.min.js using npm pack axe-core@4.11.4; regenerated SHA-384 SRI to sha384-JPn8kKVo7BLn9/zcbvarZHaq40amEwymg7J3Uhc7Lb4ds5KZ1kKLagxlEZX5iqWj; updated template integrity and refreshed docs/cdn-libraries.md. CTO
30/04/2026 axe-core 4.11.2 -> 4.11.3 Security/maintenance patch: Updated self-hosted checktick_app/static/js/axe-core.min.js using npm pack axe-core@4.11.3; regenerated SHA-384 SRI to sha384-ZCC+CzYtmcQl5Kc3P96iEgc7ws4aLd064TkQUd85k5wACc0i4CLl7+O5YLV+R9fq; updated workflow pin AXE_CORE_VERSION and refreshed docs/cdn-libraries.md. CTO
30/04/2026 HTMX 2.0.8 -> 2.0.10 Security/maintenance patch: Updated self-hosted checktick_app/static/js/htmx.min.js using npm pack htmx.org@2.0.10 and regenerated SHA-384 SRI to sha384-H5SrcfygHmAuTDZphMHqBJLc3FhssKjG7w/CeCpFReSfwBWDTKpkzPP8c+cLsK+V. Updated template integrity in checktick_app/templates/base.html, updated version pin in .github/workflows/update-cdn-libraries.yml, and refreshed HTMX entries in docs/cdn-libraries.md. CTO
14/04/2026 pillow 12.1.1 -> 12.2.0 Security Fix: CVE-2026-40192 โ€” Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). Fixed in 12.2.0. pyproject.toml constraint updated from ^12.1.1 to ^12.2.0; poetry.lock updated. CTO
14/04/2026 pytest 8.4.2 -> 9.0.3 Security Fix: CVE-2025-71176 โ€” pytest through 9.0.2 on UNIX relies on directories with a predictable /tmp/pytest-of-{user} name pattern, allowing local users to cause denial of service or possibly gain privileges. Fixed in 9.0.3. pyproject.toml constraint updated from ^8.3.2 to ^9.0.3; pytest-playwright co-updated from ^0.6.2 to ^0.7.0 (minimum version supporting pytest 9); poetry.lock updated. CTO
14/04/2026 axe-core 4.11.1 -> 4.11.2 pip-audit remediation: Updated self-hosted axe-core to 4.11.2. Asset sourced via npm pack axe-core@4.11.2; SHA-384 hash updated to sha384-zRVu3r+67m6UWo2ljwGVKxuMOzmMfp2lcxhNVGw0fk2xsbIpJ1mGyY7GV4jPiKu8. 4.11.1 โ†’ 4.11.2 is a patch release containing only bug fixes (no breaking changes). GitHub Actions workflow AXE_CORE_VERSION pin updated from 4.11.1 to 4.11.2. CTO
14/04/2026 ReDoc 2.1.5 -> 2.5.2 (static file) pip-audit remediation: The self-hosted static JS file checktick_app/static/js/redoc.standalone.min.js was found to still contain the 2.1.5 bundle despite the 29/03/2026 log entry. The file has now been replaced with the correct 2.5.2 bundle sourced via npm pack redoc@2.5.2; SHA-384 SRI hash verified as sha384-70P5pmIdaQdVbxvjhrcTDv1uKcKqalZ3OHi7S2J+uzDl0PW8dO6L+pHOpm9EEjGJ (consistent with template and docs). The GitHub Actions workflow REDOC_VERSION pin updated from 2.1.5 to 2.5.2. CTO
10/04/2026 cryptography 46.0.6 -> 46.0.7 Security Fix: CVE-2026-39892 โ€” Non-contiguous buffer passed to APIs accepting Python buffers (e.g. Hash.update()) could lead to buffer overflows on Python >3.11. Upgraded to 46.0.7 which validates buffer contiguity before processing. CTO
10/04/2026 django 5.2.12 -> 5.2.13 Security Fix (5 CVEs): CVE-2026-33033 โ€” MultiPartParser allows remote attackers to degrade performance via Content-Transfer-Encoding: base64 uploads with excessive whitespace. CVE-2026-33034 โ€” ASGI requests with missing/understated Content-Length could bypass DATA_UPLOAD_MAX_MEMORY_SIZE, allowing unbounded request body loading. CVE-2026-4292 โ€” Admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created via forged POST data. CVE-2026-4277 โ€” Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin. CVE-2026-3902 โ€” ASGIRequest allowed header spoofing by exploiting an ambiguous mapping of headers with hyphens vs underscores. CTO
29/03/2026 ReDoc 2.1.5 -> 2.5.2 Dependency Upgrade: Updated self-hosted ReDoc to 2.5.2. Asset sourced via npm pack redoc@2.5.2; SHA-384 SRI hash regenerated and updated in checktick_app/api/templates/api/redoc.html and docs/cdn-libraries.md. CTO
27/03/2026 cryptography 46.0.5 -> 46.0.6 Security Fix: CVE-2026-34073 โ€” DNS name constraints were only validated against SANs in child certificates and not against the peer name presented during validation. A peer named bar.example.com could validate against *.example.com even if an excluded subtree constraint for bar.example.com existed in a parent certificate. Upgraded to 46.0.6 which now rejects any validation where the peer name would be rejected by a name constraint if it were a SAN. CTO
27/03/2026 requests 2.32.5 -> 2.33.0 Security Fix: CVE-2026-25645 โ€” extract_zipped_paths() used a predictable temp filename allowing a local attacker to pre-create a malicious file. Upgraded to 2.33.0 where extraction uses a non-deterministic location. CTO
25/03/2026 CSP base-uri โ€” Security Hardening (AD10): Added base-uri: 'self' directive to CONTENT_SECURITY_POLICY in checktick_app/settings.py. Prevents base-tag injection attacks where an attacker could redirect relative URL resolution to an attacker-controlled origin. CTO
25/03/2026 Admin URL path /admin/ โ†’ /ct-admin/ Security Hardening (AD11): Moved Django admin from default /admin/ path to /ct-admin/ in checktick_app/urls.py. Automated scanners probing the default path receive 404s. Primary protection remains CheckTickAdminSite returning 404 to all non-superusers. CTO
20/03/2026 swagger-ui-dist 5.17.14 -> Removed Security โ€“ Bootstrap 3.x bundled dependency. Swagger UI bundles Bootstrap 3.x (via SwaggerUIStandalonePreset) which contains multiple known XSS and prototype-pollution CVEs. Swagger UI was removed entirely and replaced with self-hosted ReDoc 2.1.5 (Bootstrap-free, no external CDN calls, no Google Fonts). The /api/docs route has been removed; /api/redoc remains the single interactive docs endpoint. CTO
20/03/2026 ReDoc CDN (v2.1.5) -> self-hosted (v2.1.5) Served from checktick_app/static/js/redoc.standalone.min.js with SHA-384 SRI verification. Google Fonts CDN call (fonts.googleapis.com) removed from the ReDoc template, eliminating third-party data exfiltration of visitor IPs. Asset sourced via npm pack redoc@2.1.5 for reproducibility. CTO
14/03/2026 black 24.10.0 -> 26.3.1 CVE-2026-32274 CTO
14/03/2026 pyjwt 2.10.1 -> 2.12.1 CVE-2026-32597 CTO
05/03/2026 django 5.2.11 -> 5.2.12 CVE-2026-25673 and CVE-2026-25674 fixes CTO
22/02/2026 SortableJS 1.15.6 -> 1.15.7 Updated to patched upstream release; regenerated SRI and self-hosted artifact. CTO
22/02/2026 django-csp 4.0 CSP_CONFIG replaces CONTENT_SECURITY_POLICY CTO
12/02/2026 pillow 11.3.0 -> 12.1.1 Security Fix: Fixed CVE-2026-25990 (out-of-bounds write in PSD image loader). Specially crafted PSD images could trigger memory corruption. All Pillow >= 10.3.0 users affected. CTO
12/02/2026 marshmallow 3.18.0 -> 3.26.2 Security Fix: Fixed CVE-2025-68480 (transitive dependency). Updated to latest secure version. CTO
12/02/2026 pip 25.3 -> 26.0.1 Security Fix: Fixed CVE-2026-1703. Updated to latest secure version. CTO
10/02/2026 cryptography 46.0.3 -> 46.0.5 Security Fix: Fixed CVE-2026-26007 (SECT curve public key validation bypass). Functions public_key_from_numbers, load_der_public_key, and load_pem_public_key now verify points belong to expected prime-order subgroup, preventing ECDSA signature forgery and ECDH key leakage. CTO
04/02/2026 django 5.1.x -> 5.2.11 Critical Security Update: Fixed CVE-2025-13473 (timing attack in mod_wsgi auth), CVE-2026-1207 (SQL injection in RasterField), CVE-2026-1312 (SQL injection in QuerySet.order_by), CVE-2026-1287 (SQL injection in FilteredRelation) CTO
04/02/2026 django-axes 6.5.2 -> 8.1.0 Updated for Django 6.0 compatibility. Adds enhanced brute-force protection features. CTO
04/02/2026 django-csp 3.8 -> 4.0 Breaking Change: Migrated to new CONTENT_SECURITY_POLICY configuration format. Updated @csp_exempt decorator syntax. CTO
04/02/2026 pip-audit 2.7.3 -> 2.10.0 Updated vulnerability scanning tool to latest version CTO
21/01/2026 axes-core 4.11.0 -> 4.11.1 Patch version upgrade to latest stable CTO
18/01/2026 python-jose 3.5.0 -> Removed Eliminated vulnerable ecdsa transitive dependency. JWT functionality provided by djangorestframework-simplejwt CTO
18/01/2026 ggshield Moved to pre-commit Architecture Change: Isolated security scanning tool from production dependencies. Prevents dependency pins from blocking security updates. CTO
18/01/2026 cryptography Unpinned -> Latest Removed pin previously required by ggshield. Now free to update immediately when patches released. CTO
18/01/2026 urllib3 Unpinned -> Latest Removed pin previously required by ggshield. Resolved 5 CVEs (CVE-2025-50182, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2024-3766). CTO
02/01/2026 requests 2.31.0 -> 2.32.0 Fixed CVE-2024-3651 (Header parsing) CTO
28/12/2025 daisyui 4.x -> 5.4.7 Dependency refresh & security hardening CTO
05/12/2025 jinja2 3.1.2 -> 3.1.4 Fixed GHSA-h75v-3vv6-5qhc (XSS risk) CTO
12/11/2025 django 5.0.x -> 5.1.0 Minor version upgrade to latest stable CTO

3. Automation & Triage Process

  1. Continuous Auditing: Our Security Scan GitHub Action runs on every Push, Pull Request, and daily at 06:00 UTC.
  2. Hard Block on Production: If pip-audit detects any vulnerability (Critical, High, Medium, or Low), the build fails and deployment is automatically blocked. No exceptions are configured.
  3. Isolated Security Tooling: Security scanning tools (ggshield, pre-commit) run in isolated environments managed by pre-commit, preventing their dependencies from constraining production packages.
  4. Zero-Exception Policy: Since January 2026, we maintain a zero-exception policy for vulnerability scanning. This ensures immediate visibility and remediation of any new vulnerabilities.
  5. Endpoint Sync: Developers are required to run poetry install locally to synchronize their development environment with the latest patched versions in poetry.lock, preventing 'version drift' between local and production environments.

4. Architecture Improvements (January 2026)

Key Change: Separated security scanning tool dependencies from application runtime dependencies.

Before:

  • Security tools (ggshield) were installed via Poetry alongside application dependencies
  • Security tools pinned critical dependencies (cryptography, urllib3) to outdated versions
  • Required maintaining an exception list of 10+ vulnerabilities
  • Could not update vulnerable dependencies without breaking security tools

After:

  • Security tools run in isolated pre-commit environments
  • Production dependencies are free to update immediately when patches are released
  • Zero vulnerabilities in production dependency tree
  • Zero exceptions required in CI/CD pipeline
  • Improved security posture and maintainability

This architectural change represents a significant improvement in our security monitoring capability while simultaneously reducing our vulnerability exposure.

5. CDN Artifact Handling & Integrity (January 2026)

Change: Updated automated CDN library refresh workflow to use npm pack as the canonical source for packaged JavaScript assets and to compute SRI from the package contents.

  • Reason: Downloading files directly into the repository root from third-party CDNs caused temporary artifacts to remain after workflow runs (triggering security scanners such as CodeQL). Using npm pack ensures the registry is the authoritative source and the artifact bytes are reproducible.
  • What changed: The update-cdn-libraries GitHub Action now:
  • Runs npm pack <pkg>@<version> in a temporary directory
  • Extracts the tarball, finds the minified asset, computes SHA-384 SRI from the file bytes, and atomically moves the asset into checktick_app/static/js/
  • Cleans up temporary files and directories using traps to avoid leaving files in the repository
  • Outcome: SRI values are computed from the exact npm package bytes; temporary files no longer appear in the repo root; CodeQL false-positives reduced.

Evidence: PR #155 updates the workflow and documentation to reflect this change and updates axe-core to 4.11.1 with the new SRI hash.