Please do not open a public GitHub issue for security-sensitive reports.
Instead, contact the maintainer privately and include:
- affected version
- reproduction steps
- impact assessment
- proof of concept if available
You can acknowledge receipt within a reasonable time window and coordinate a fix before public disclosure.