CVEs affecting projects tracked on Release Alert, from NVD & OSV.
Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.