CVEs affecting projects tracked on Release Alert, from NVD & OSV.
MODX Revolution through v2.7.0-pl allows XSS via the User Photo field.