Please do not report security issues in public issues.
Send reports to the project maintainers with a clear description, affected versions or commits, reproduction steps, and expected impact. Avoid sharing secrets, tokens, or private customer data in reports.