My guess here is both CVE's were for deserialization gadget chains (one in JRE, the other in Laravel) which can't be trivially categorized as vulnerabilities (classes do what they are supposed to, only dev decided to YOLO unrelated parts of their code).