First of all, Community Builder and our CB Add-ons are not vulnerable to following third-party libraries vulnerabilities, in default or in any reasonable configuration. Additionally, third-party CB add-ons using correctly the CB API should also not be vulnerable through these third-party libraries vulnerabilities.
The CB team is following security news and Beat is part of the Joomla Security Strike Team (JSST). Thus we are usually aware very early of new vulnerabilities potentially affecting Community Builder or our add-ons. For all vulnerabilities of third-party libraries below, we have usually been aware within hours of the issues, and could each time assess with highest priority that those vulnerabilities could not be exploited through Community Builder or any of our Add-ons.
The CB Team implements using defensive programming techniques. This means that we often have multiple levels of protections and user-inputed data filterings, handling default cases, and always escaping at the right place, so that security reviews are easy. Also, no code change is made in core CB without peer-review inside the team. As a matter of fact, with CB 2.1.1, we are celebrating the 1234th merge-requests since CB 2.0! Each of those merge requests has been peer-reviewed and security-audited before being added to CB.
Community Builder 2.1.1 includes the newest PHPMailer 5.2.22 third party emailing library and a security-improved version of Guzzle HTTP/HTTPS requests third-party library.
As both libraries have experienced security vulnerabilities and fixes lately, CB team is issuing the following security statement on those issues and their non-exploitability in Community Builder.