The original Keepass project has 11 CVEs. XC has 3, and has disputed all of them with e.g. "the vendor disputes this because memory-management constraints make this unavoidable in the current design and other realistic designs", etc.
Additionally, the original KeePass project has no public development or public review process for their code. They do everything behind the scenes and only publish code when a release is made. KeePass is "code available" open source.
