CVEs affecting projects tracked on Release Alert, from NVD & OSV.
Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter.