Note that none of these CVEs is exploitable without the developer _also_ misusing the API or exposing the vulnerability to some data that the attacker can control. It's unclear whether these can be thought of as bona fide security holes.