Hi, I found [1] which lists which versions of OpenEXR are vulnerable to which CVE. All the CVEs mentioned here were fixed in version 2.5.4 [2], while we are currently tracking version 2.5.5, for which there are no known CVEs. I will close this issue. Feel free to reopen if I missed anything. [1] https://github.com/AcademySoftwareFoundation/openexr/blob/master/SECURITY.md [2] https://github.com/AcademySoftwareFoundation/openexr/blob/master/CHANGES.md#version-254-december-31-2020