CVEs affecting projects tracked on Release Alert, from NVD & OSV.
Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header.