CVEs affecting projects tracked on Release Alert, from NVD & OSV.
JPEG XL (aka jpeg-xl) through 0.3.2 allows writable memory corruption.