CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.