Cure53 found 5 vulnerabilities, with one of medium severity, one of low severity and 3 miscellaneous issues, ie not directly exploitable.
Importantly, all issues found were not exploitable remotely, but concerned someone that already has acess to a mullvad server.
Summary from Mullvad , full report