# Accepted vulnerabilities — reviewed, justified, and tracked.
# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
#
# ---------------------------------------------------------------------------
# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
# signing) requires cryptography <44. The two findings below are only fixed in
# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
#
# Reviewed: 2026-06-23  |  Next review: 2026-09-23
# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
#                   then set cryptography>=48.0.1 and delete these lines.
# ---------------------------------------------------------------------------

# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
CVE-2026-26007

# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
GHSA-537c-gmf6-5ccf