1. Drupal: I reported a (minor) CSRF hole in April, but never got a response. It was fixed in Drupal 5.8 earlier this month, credited to Heine of the Drupal security team.
2. Wordpress: I reported that this doesn't match 'UTF7', again in April this year. It might be unexploitable, but still - would have been nice to get a response.