Description of problem:

The duplicate CVEs in the errata are caused by one CVE having 2 or more urls (See below). 
[#<Katello::ErratumCve:0x0000560e9b405038
id: 524614,
erratum_id: 497834,
cve_id: "CVE-2025-37803",
href: "
https://access.redhat.com/security/cve/CVE-2025-37803
">,
#<Katello::ErratumCve:0x0000560e9b35e620
id: 554209,
erratum_id: 497834,
cve_id: "CVE-2025-37803",
href: "
https://www.redhat.com/security/data/cve/CVE-2025-37803.html
">,
 

I am not exactly sure which url is expected. Both urls worked. The "www.redhat.com" one simply redirect to "access.redhat.com"

I guess this could be the cause. We synced "Repo A" that contained "erratum A" (with CVE href 'A') a few weeks ago. Later we sync "Repo B" that also contains "erratum A" (but with CVE href 'B').

How reproducible:

Not sure.  I failed to reproduce the issue even I had tried to sync some affected repos for the errata. It appears to be only reproducible before the CDN repo metadata is corrected.

Is this issue a regression from an earlier version:

I believe it is not a regression

Business Impact / Additional info:

To workaround the report issue, we can add a ".uniq" to the report template.

'CVEs': erratum.cves.map { |c| c.cve_id }.uniq,