There are 2 open security issues in bullseye.
2 issues left for the package maintainer to handle:
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 184.108.40.206, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 220.127.116.11 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
You can find information about how to handle these issues in the security team's documentation.