Google frequently holds live (and recorded) sessions where webmasters, developers, and solopreneurs can attend. These sessions are in a few languages (English, German, and Japanese are the ones I know of).
These are called Office-Hours, and are formatted in a Q&A style.
For the English Office-Hours, Google Search Advocate John Mueller is usually the host and coordinator. He answers questions that are either submitted or asked live.
During the English Google SEO Office-Hours from October 22, 2021, at around the 37-minute, 27-second mark, John was asked a question about site security and SEO:
“After doing a Lighthouse report on our site, we noticed a common JavaScript library we used was flagged as having two security vulnerabilities.
“Do these vulnerabilities have any effect on SEO, or would you say this is more just to let us know?”
John’s response was, “I wouldn’t see it as something that will change your rankings immediately.”
“So, Lighthouse is, I think, a tool within Chrome, and also a standalone tool I think. Not sure if it’s just in Chrome. But it’s basically from the Chrome side. It’s not, by definition, an SEO tool.
Not Flagged As An SEO Tool, Unless…
“But it does have a lot of things that you can use for SEO. And specifically, security vulnerabilities are not something that we would flag as an SEO issue.
“But if these are real vulnerabilities on scripts that you’re using, and that means that your website ends up getting hacked, then the hacked state of your website, that would be a problem for SEO.
“But just the possibility that it might be hacked, that’s not an issue with regards to SEO.
“So, from that point of view, I would take this as something to double-check together with maybe developers, or double-check if you can update those libraries.
“But I wouldn’t see it as something that will change your rankings immediately.”
So, site vulnerabilities may not directly, or immediately, have an effect on ranking, but a site that’s been hacked, and stays in a hacked state, may suffer from SEO consequences.