22 CVEs from Dependabot + Snyk + GHSA. Per CVE: severity, exposure path, exploitability (CISA KEV?), SLA clock, fix-available, applied/merged state. Surfaces 3 critical past SLA + 4 in CISA KEV catalog.