Please do not open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub's private vulnerability reporting to report security issues.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Fix timeline: Provided within 7 days of acknowledgment
• Disclosure: Coordinated disclosure after fix is released

• Authentication and authorization bypass
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Secrets or credentials exposure
• Dependency vulnerabilities with exploitable impact

• Self-hosted deployment misconfigurations
• Denial of service on self-hosted instances
• Issues in third-party dependencies without a demonstrated exploit