CVEs affecting projects tracked on Release Alert, from NVD & OSV.
Pagure before 5.6 allows XSS via the templates/blame.html blame view.