Hi Xavier, On Fri, Mar 27, 2026 at 07:57:13AM +0100, Xavier wrote: > Hi, > > #1132020 speaks about 3 CVE for node-path-to-regexp, but metadata are wrong: > - CVE-2026-4867: affects versions < 0.1.13, we have all >6
Yes this was fixed earlier today. > - CVE-2026-4923 and CVE-2026-4926 affect only testing/unstable > (vulnerable versions are [8.0.0 .. 8.3.0] and stable has 6.3.0) We cannot always trust just mentioned ranges and the upstream GHSA's unfortunately do not point out the fixes. Have we an idea about the pairs of introducing commits and fixed commits for both CVEs so we can sync up our tracking? That would be great if you can identify those. Regards, Salvatore
