Download notes for 6.3.3 and CVE-2024-31497

The Download notes for 6.3.3 say:

SSH core upgraded to PuTTY 0.80.

But I thought that version has the vulnerability, unless "SSH core" version is
different from the PuTTY executable version.

What "download notes" do you mean? Can you post a link?
The version history mentions "PuTTY 0.81":
https://winscp.net/eng/docs/history?a=6.3.3

On the download page https://winscp.net/eng/download.php it says

SSH core upgraded to PuTTY 0.80. That includes support for HMAC-SHA-512 and mitigation of “Terrapin” vulnerability.

Ok, those are major changes in WinSCP 6.3 release from February.
It does not include changes in later hotfixes.
If you click on "List of all changes", you will see PuTTY 0.81.

I have removed the mention of "PuTTY 0.80", so that people don't get confused.