web/security: add some missing CVEs