Not only that but debian has for example, debsecan so you can see on any system what CVEs exist and if your packages are patched. ex from my system I ran it and got
reply> CVE-2026-32105 xrdp
which i see has a fix in sid but not on bookworm
> CVE-2026-32105 xrdp
which i see has a fix in sid but not on bookworm