vulnerabilities: - id: CVE-2026-40393 # No `paths:` constraint — Trivy reports OS-package CVEs against the # package name (libgbm1, libgl1-mesa-dri, libglx-mesa0, mesa-libgallium), # not against installed file paths. A `paths:` filter would silently # fail to match and the ignore would be a no-op (which it was). statement: >- Mesa OOB read (fix: Mesa 25.3.6 / 26.0.1). No Debian 13 backport available. Pulled transitively by libgl1 (required by OpenCV/RapidOCR). Tracked in #189 with follow-up to drop libgl1 via opencv-python-headless. expired_at: 2026-06-30