Back in January, a Drupal module called User Queue that I wrote and contributed to drupal.org got flagged as having a security vulnerability. To be clear, although User Queue is sort of useful (it's in production on both Observer.com and The Big Money), it's not exactly a huge or mission critical component for any site that I'm aware of. In fact, it only really exists because the much more feature-rich Nodequeue doesn't handle users due to their being a different type of first-class object in Drupal.
