Both libexpat ("Expat") and uriparser are following the curl security vacation and will not accept new vulnerability reports before 2026-08-01, starting today.

[1] https://github.com/libexpat/libexpat/issues/1277

[2] https://github.com/uriparser/uriparser/issues/323