I was having a look at the list of CVEs for webkit2gtk: https://security-tracker.debian.org/tracker/source-package/webkit2gtk
Two of them (CVE-2019-8375 and CVE-2017-17821) are listed as still open in buster / bullseye / sid, however 1) CVE-2019-8375 was fixed in webkit2gtk 2.23.90: https://github.com/Igalia/webkit/commit/15091e3aa288df50ade0d78b5f444ec0d1814573 2) CVE-2017-17821 was fixed in webkit2gtk 2.21.3: https://github.com/Igalia/webkit/commit/2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Berto
