Missing vuxml entry, no fix yet http://www.talosintelligence.com/reports/TALOS-2016-0190/
They didn't test 4.0.7? I'm not sure if that's vulnerable. Hard to make a vuxml entry without further details.
(In reply to Mark Felder from comment #1) The release notes do not indicate this issue as fixed but do cite other CVEs. I will dig in tomorrow & see if it was just a case of being missed out.