web/security: add CVEs to 2.5, 2.4.4, 2.3.5, 2.1.6