CVEs affecting projects tracked on Release Alert, from NVD & OSV.
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.