Thank you for documenting the reasons. I have removed this alleged KeePass "vulnerability" from pkgsrc's list of vulnerable packages, so it can be downloaded and installed without warnings again.
Well, I didn't create the CVE, I'm just reporting it that it exists. For example, pkgsrc has been marking KeePass as having an "unspecified security vulnerability", and today I investigated whether that was still reproducible with the latest KeePass. It was. At least OWASP, MITRE and the BSI seem to agree that interpreting a leading '=' in a CSV file is not a bug in the office applications like Microsoft Word and LibreOffice Calc, but instead the fault is on the side that generates these CSV files....
CVE-2019-20184: exported CSV can contain Excel formulas
untranslateable plural forms
ambiguous text "variable file format"
MD5 is computed using external program
Released file contains .orig and .rej files
detection of stdio.h functions fails