CVE-2020-12695 does not track libupnp13 (pupnp). I noticed that the upstream v1.14 changelog entry includes work towards addressing this CVE, whilst the version shipped in Debian testing/sid is older (v1.8.4) and the CVE tracking page does not cover it. (please CC, I'm not subscribed)