There is 1 open security issue in buster.
1 issue left for the package maintainer to handle:
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
You can find information about how to handle this issue in the security team's documentation.