CVEs affecting projects tracked on Release Alert, from NVD & OSV.
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.