A quick look shows not much has been found CVE wise with godot, and not anything on the 4.x version of the engine. There is an interesting case of it being used to build a malware loader.

I've actually been playing with it a bit recently and have had a couple mysterious crashes in their ide. It's likely ripe fruit for a curious security researcher.