On VitalPBX, the OS dependencies/packages like OpenSSH and Nginx versions are managed by the Debian security team. The version numbers reported in the scan might not directly match upstream releases, as Debian applies security patches to their stable package versions without always bumping the version number.
To check if your installed versions are patched against these CVEs, you can check the Debian Security Tracker.