| Version | Supported |
|---|---|
| Latest release on GitHub | Yes |
| Older tags | Best effort |
Senza is a local desktop application. It reads and writes audio files and metadata on disk. It does not require sign-in and does not upload your library to Floke servers.
Please do not file public issues for undisclosed security problems.
- Use GitHub Security → Advisories → Report a vulnerability on krwg/senza, or
- Contact the maintainer via a private channel on their GitHub profile.
Include:
- Description and impact
- Steps to reproduce
- Affected version / commit
- Optional patch or mitigation
We aim to acknowledge within a few days; timelines depend on maintainer availability.
- Remote code execution via IPC/preload bridge (
contextIsolationbypass) - Path traversal or arbitrary file write outside the library folder
- Unsafe handling of imported paths or tag/cover buffers
- XSS or script injection in renderer (CSP is strict:
default-src 'self')
- Physical access to the machine or malware already running as the user
- Social engineering
- Issues in third-party dependencies without a Senza-specific exploit path
- Missing features (e.g. FLAC tag write) unless they enable unintended file corruption
- Import music only from sources you trust.
- Library path defaults to
%APPDATA%/senza/library/— back up important collections before bulk tag edits.
by Floke · krwg