CVEs affecting projects tracked on Release Alert, from NVD & OSV.
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.