There is 1 open security issue in buster.
1 issue left for the package maintainer to handle:
In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue.
You can find information about how to handle this issue in the security team's documentation.