Skip to content

docs: update CVE tracker β€” fix counts, add 50 new CVEs, archive resolved#148

Merged
cyyever merged 1 commit intomainfrom
docs/cve-tracker-update
Mar 30, 2026
Merged

docs: update CVE tracker β€” fix counts, add 50 new CVEs, archive resolved#148
cyyever merged 1 commit intomainfrom
docs/cve-tracker-update

Conversation

@cyyever
Copy link
Copy Markdown
Collaborator

@cyyever cyyever commented Mar 30, 2026

Summary

  • Fix inflated summary counts β€” counts were wrong since inception (claimed 51, actual was 36). Now accurately reflects 84 tracked CVEs
  • Add 50 newly discovered CVEs from NVD API + GitHub Security Advisories (Cursor, Claude Code, MCP ecosystem, Codex CLI)
  • Assess defense coverage for all new entries (41 Full, 1 Partial, 8 Not defensible)
  • Archive 24 resolved CVEs (Full + Patched) to cve-tracker-archive.md
  • Add cve-reference.md as flat lookup table for all 84 CVEs
  • Upgrade 2 CVEs: CVE-2026-33946 (None β†’ Full), CVE-2026-33980 (None β†’ Partial)
  • Remove 2 unrelated CVEs: LangChain (CVE-2025-68664), LibreChat (CVE-2026-31945)
  • Update README.md CVE count (51 β†’ 84)

Updated Coverage

Status Count %
Full defense 71 84.5%
Partial defense 1 1.2%
Not defensible 12 14.3%
Total 84

Test plan

  • doc-consistency pre-commit hook passes (README count matches tracker)
  • gitleaks passes (no secrets in advisory URLs)
  • Verify archived CVEs appear correctly in cve-tracker-archive.md
  • Spot-check 5 defense assessments against actual rule engine code

@cyyever
docs: update CVE tracker β€” fix counts, add 50 new CVEs, archive resolved
2d6461c 
- Fix summary counts (were inflated since inception: 51 β†’ 84 actual)
- Partial defense count corrected from 2 β†’ 1 (both were upgraded to full)
- Add 50 newly discovered CVEs from NVD + GitHub Security Advisories
- Assess defense coverage for all new entries
- Archive 24 resolved CVEs (Full + Patched) to cve-tracker-archive.md
- Add cve-reference.md as flat lookup table
- Remove unrelated CVEs (LangChain, LibreChat)
- Upgrade CVE-2026-33946 (None β†’ Full: MCP gateway catches hijacked sessions)
- Upgrade CVE-2026-33980 (None β†’ Partial: Crust sees tool call args)
- Consolidate triage entries into main product sections
- Update README.md CVE count (51 β†’ 84)
@cyyever cyyever merged commit a6d7eed into main Mar 30, 2026
16 checks passed
@cyyever cyyever deleted the docs/cve-tracker-update branch March 30, 2026 04:28
@cyyever cyyever restored the docs/cve-tracker-update branch March 30, 2026 04:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cyyever