website/docs: mark cves CVE-2026-49443 and CVE-2026-49448 (cherry-pick #22808 to version-2026.5) (#22864)

website/docs: mark cves CVE-2026-49443 and CVE-2026-49448 (#22808)

* mark cves

* Ignore spellcheck on redirects, headers.

---------

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>

cspell.config.jsonc

@@ -269,6 +269,8 @@
         ".docusaurus/**", // Cache
         "./{docs,website}/build", // Topic docs build output
         "./{docs,website}/**/build", // Workspaces output
+        "_redirects", // Redirects file
+        "_headers", // Headers file
         //#endregion
         //#region Golang
         "go.mod", // Go module file

website/docs/security/cves/CVE-2026-49443.md

@@ -1,6 +1,6 @@
 <!-- spellchecker:ignore GHSA-xp7f-xjjx-gwm8 -->
 
-# GHSA-xp7f-xjjx-gwm8
+# CVE-2026-49443 / GHSA-xp7f-xjjx-gwm8
 
 ## SourceStage bypass via empty POST
 

website/docs/security/cves/CVE-2026-49448.md

@@ -1,4 +1,4 @@
-# GHSA-5wcc-hf24-rf5h
+# CVE-2026-49443 / GHSA-5wcc-hf24-rf5h
 
 ## `UserSourceConnection.user` and `GroupSourceConnection.group` are changeable through the API
 

website/docs/static/_redirects

@@ -95,6 +95,8 @@
 /security/2023-06-cure53                                    /security/audits-and-certs/2023-06-cure53 301!
 /security/CVE-*                                             /security/cves/CVE-:splat 301!
 /security/GHSA-*                                            /security/cves/GHSA-:splat 301!
+/security/cves/GHSA-xp7f-xjjx-gwm8                          /security/cves/CVE-2026-49448
+/security/cves/GHSA-wr38-7xg8-fqxr                          /security/cves/CVE-2026-49443
 #endregion
 
 #region Troubleshooting