CVEs affecting projects tracked on Release Alert, from NVD & OSV.
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.