Server shows vulnerable for a module which is not installed on server.

For a server where php7.2 is installed https://access.redhat.com/security/cve/cve-2019-11043 shows up as vulnerable with applicable erratum RHSA-2019:3736 which is for php7.3

On the server:

Insights shows advisory "RHSA-2019:3736". In the CVE page we can see this advisory is specifically for the php:7.3 module stream, which is not enabled on this system:

[jeperez@supportshell-1 lxelifd3]$ cat sos_commands/dnf/dnf_module_list | grep php
php 7.2 [d][e] common [d], devel, minimal PHP scripting language
php 7.3 common [d], devel, minimal PHP scripting language
php 7.4 common [d], devel, minimal PHP scripting language
php 8.0 common [d], devel, minimal PHP scripting language
php 8.2 common [d], devel, minimal PHP scripting language