CVEs affecting projects tracked on Release Alert, from NVD & OSV.
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.