Please do not open a public issue for suspected vulnerabilities.
Send a private report to the maintainer with:
- affected version or commit
- reproduction steps
- expected impact
- any safe proof-of-concept details
The maintainer will acknowledge valid reports and coordinate fixes before public disclosure.